Re: enforcement first, ask questions later?

[Daniel Pocock]

On 04/02/2019 22:52, Pierre-Elliott Bécue wrote:
>
> That being said, don't try to involve Human Rights or any State of Law
> justice notion in this as this is mostly irrelevant to the subject.


See my recently censored blog[1] to understand why this is hypocritical

Among other things, if we didn't care about human rights, we wouldn't
care about software licenses either, we would just copy any source code
we want to use.  You can't pick and choose rights like that and deliver
a consistent argument.

Regards,

Daniel


1. https://danielpocock.com/debian-human-rights-paradox

Re: enforcement first, ask questions later?

[Daniel Pocock]

On 04/02/2019 13:09, Pierre-Elliott Bécue wrote:
> Le 03/02/2019 à 08:38, Daniel Pocock a écrit :
>> [snip]
> Daniel.
[snip]
> Forcing people to hear them again multiples times is neither relevant
> nor a sane thing.


Why make this personal?  Why not say the same thing for the
anti-harassment team trying to promote their political agendas with
their regular "bits" emails and their talks?  When the dark side of
enforcement keeps rearing its ugly head over and over again, why would
you deny people a right of reply?

Given my previously stated commitment to free speech, I accept those
emails and talks no less than I thirst for a wider variety of responses
rebutting them.

This all reminds me of the TSA constantly reassuring America about all
the things they have to do to make people "safe".  If somebody grimaces
every time they see their child being patted down for their own good,
would you question their sanity too?  Or are they the only person who
has retained their sanity?

Maybe I am insane, convinced that Debian's reputation is worth fighting
for when other people already gave up.  This is not about me, it is
about the whole community.  So many people told me they are afraid to
speak now because DAM keeps dossiers.

I didn't join Debian to put it on my CV.  I've been promoting Debian
since 1997 but I never rushed to join as a DD.  I only joined in 2012. 
I did that because I wanted to do more for our users.  If I didn't seek
to participate for some benefit to my reputation, why is it that people
see fit to attack me personally and threaten my reputation in the way
that they have?

Some people also feel that the very personal replies (like yours,
this[1] and this[2]) deter other people commenting and that adds to a
perception that these concerns are not more widespread.  Who would want
to be put down by a reply like that or called a sock puppet?

If this mailing list is not the right place to hold the leaders to
account and if they insist on "demoting" volunteers and stubbornly
refuse any meetings, even when we were all at FOSDEM on the weekend,
what is the next step?  Do developers need to come to DebConf in yellow
vests[3]?  Or do we follow the FSF/FSFE example and set up a separate
"Debian Europe" for the people who don't want to waste more time arguing
about what a "real" Debian Developer is?  It is quite ironic that a
British DPL is following in the footsteps of imperialism, taking this
divide-and-conquer approach, stratifying the community, putting people
into the "demotion" sin bin at the same time that his country is
threatening to divide and starve[4] Ireland again.  No deal == division,
it is that simple, it is a threat repeated many times every day and
millions of Irish people see borders and walls as an act of war.

In fact, maybe a lot of the toxic problems appearing in Debian are
reflections of the "adult" leadership in the world today.  You can't go
anywhere in the UK without hearing the "no deal" threat.  Threats are
the new normal.  You can't go anywhere without passing signs calling on
you to snitch[5] on people who look different, maybe that has
subconsciously inspired some of the recent calls for dossiers on people?

Yet despite the huge differences of opinion over Brexit in the British
Tory party and despite the fact that all Europe can't stop laughing[6]
at them, I notice that not one member of the Tory community has been
expelled.  If they can voice such wildly divergent opinions and work
through their differences under such immense pressure, why can't Debian?

Regards,

Daniel

1. https://lists.debian.org/debian-project/2019/01/msg00211.html
2. https://lists.debian.org/debian-project/2019/02/msg7.html
3. https://en.wikipedia.org/wiki/Yellow_vests_movement
4. https://www.thetimes.co.uk/article/3d9d4f44-f9ad-11e8-83e5-4dc2d31f2a89
5.
https://www.theguardian.com/commentisfree/2016/nov/07/anti-terrorism-posters-nazi-propoganda
6. https://youtu.be/CaYTm7ip9g0

Re: enforcement first, ask questions later?

[Daniel Pocock]

On 04/02/2019 08:18, Ondřej Surý wrote:
> In the past, I’ve seen some communities to wither because of a toxic person 
> violently pushed their agenda on everybody.
>
> This is certainly following the similar pattern.
>
> That’s my first and last 2 cents to this discussion.

Thanks for your feedback

There is no such thing as a toxic person

There is a very toxic situation though which can be traced to certain
abuse, threats and scapegoating.

Regards,

Daniel

Re: enforcement first, ask questions later?

[Daniel Pocock]

On 03/02/2019 11:02, Martin Steigerwald wrote:
> Daniel Pocock - 03.02.19, 08:38:
>> This reveals a lot about the serious problems in Debian right now. 
>> Did we really sign up to be part of an experiment like that?  I
>> didn't.
>>
>> Why do certain people want to start out with enforcement, skipping
>> over normal human relations, avoiding meetings for almost a year,
>> assuming they always know who is at fault?
> Quite bold accusations, Daniel.

Those are known facts, not simply accusations.  They acted like Debian
is a Facebook group, deleting people without any process or discussion. 
Afterwards, during January 2019, they started making up a process to
validate their decision retrospectively.  Their arrogance is no less
bold than my own repudiation of it.

Various people have discussed it privately, sharing communications from
AH/DAM/DPL and concluded there is a pattern in the communications from
our leaders.

de Blanc's talk description also appears to corroborate the same pattern
of communication.  But I want to make it clear I'm only referring to the
description, I didn't see the talk or video yet.

I'd ask people to view this constructively, how can that pattern of
communication be improved when people have some differences?


> And in yet another thread about what seems to be about the same topic 
> than in about half a dozen or even a dozen of threads before this 
> thread. If the previous threads did not give you the results you wanted, 
> how do you come to believe that this new thread will?


No doubt de Blanc has spent some time and effort preparing her talk.

I fully believe a DD giving a talk is worthy of its own thread, even if
I disagree with what the description is suggesting and even if there is
a perception the talk may be trolling people about the issues in
previous threads.  I heard feedback from people who attended the talk
but I would leave it to them to post that here.

I hope somebody will start a thread about my talk too.  I would
encourage people to watch de Blanc's talk video, even more than my own,
with an open mind and also review material, like the movie Das
Experiment, to get a comprehensive understanding of the issues and risks.


> Did you actually aim at talking with the people you accuse? Did you 
> contact them personally by mail *before* writing these bold accusations 
> to the list?

> Our even more clearly: Are *you* even interested in really talking 
> *with* them, instead of just *about* them?


There have been numerous public and private requests for meetings, for
example, the public thread suggesting that we need a mediation procedure
rather than an "anti" something approach.

I had personally written to Chris Lamb a couple of weeks before FOSDEM
and on other occasions and he never provides any constructive reply.


> That written, I do not have any firm opinion on how true your or the 
> story of anyone else who is involved in that is. In the end, they are 
> all just that, *stories*. None of it is absolutely true or absolutely 
> wrong. 


People should not be rushing to make stories about each other public anyway.

As nobody knows the stories and even if we did, it would be hard to
validate parts of them, it would be good to start by making decisions on
the principles, for example, with one or more GRs to address the following:

- does the community want to rule out the use of secret "evidence"?

- if it isn't ruled out, what can be done to reduce the unfairness?

- what are reasonable periods for volunteers to respond to complaints? 
48-72 hours is far too short.

- do we uphold the presumption of innocence, except in the most
outrageous instances of misbehaviour?

- does the community revoke any adverse statements that have been made
through the history of the project, not just the recent emails from
Chris Lamb?  Do we issue guidance to future DPLs that they can never
undermine or speak badly about any developer, past or present?

It is better to answer those questions without reference to any
individual cases.


> For me, to exit the current approach of accusing each other is to assume 
> good intentions and really notice that there is no fault in life. There 
> are certainly correct and incorrect decisions and different opinions on 
> what those are, but how would it be if what happened is simply just 
> that, is simply just what happened? And what if, just what if it is no 
> one's fault, but just a result of a large group of people having 
> different opinions and viewpoints of how to work together and struggling 
> to find a consensus on how it can work out?

I notice that in the Tory party ruling over the United Kingdom,
everybody has a different opinion on Brexit.  They argue and fight
vigorously but they didn't expel anybody.

Most organizations find ways to work through d

Re: enforcement first, ask questions later?

[Daniel Pocock]

On 04/02/2019 02:16, Steve Langasek wrote:
> On Sun, Feb 03, 2019 at 08:38:54AM +0100, Daniel Pocock wrote:
>> It is a fact that both Lamb and de Blanc have stated at various times
>> during 2018 that they didn't have time to talk to people. It is also a
>> fact that multiple people have complained that Debian leadership figures
>> are too busy to talk to them.  Is it acceptable for them to skip over
>> talking to people and rush to enforcement simply because they are busy? 
> Yes, it is.
>
> The first duty of the DPL and any delegates is to the Debian Project as a
> whole, not to any individual developer.  If the appropriate delegates have
> determined that an individual developer's behavior is damaging to the
> project, they are absolutely justified in enforcing first.
>
> Restorative justice is a worthwhile goal, but it is a luxury.  It is not the
> responsibility of the Debian Project to rehabilitate every contributor who
> it's determined has overstepped boundaries.  Even ignoring the effect of bad
> actors, that constitutes an open-ended committment.  And even if the
> project's representatives HAVE made a committment to rehabilitation, it is
> STILL acceptable to enforce FIRST if in their sole judgement this is
> necessary in order to limit any ongoing damage.
>
> If you don't understand this, then it is unsurprising to me if enforcement
> escalates.
>

Is that a threat?

enforcement first, ask questions later?

[Daniel Pocock]

Hi all,

In Molly de Blanc's FOSDEM talk description[1], the first line reads "Is
there a single right way to enforce a code of conduct, community
guidelines, or whatever you call the systems you have to help maintain a
good community?"

Now might be a good time to watch Das Experiment[2] (or the trailer). 
Does that look like a "good community"?

This reveals a lot about the serious problems in Debian right now.  Did
we really sign up to be part of an experiment like that?  I didn't.

Why do certain people want to start out with enforcement, skipping over
normal human relations, avoiding meetings for almost a year, assuming
they always know who is at fault?

It is a fact that both Lamb and de Blanc have stated at various times
during 2018 that they didn't have time to talk to people. It is also a
fact that multiple people have complained that Debian leadership figures
are too busy to talk to them.  Is it acceptable for them to skip over
talking to people and rush to enforcement simply because they are busy? 
Or is that an even bigger risk to community safety?

My impression is that if you don't have time for people, if you don't
listen to people, you don't gain their respect.  If you don't have their
respect, enforcement is even less likely to convey whatever message you
hope it will.

What happens when you can't tell the difference between enforcement and
abuse any more?

What happens when you know it is abuse, how do you stop the enforcers
doing it and hold them to account?

Is anybody in Debian really qualified to conduct enforcement operations
anyway?

Is it right to use defamation and character assassination as a tool of
enforcement?

Regards,

Daniel


1. https://fosdem.org/2019/schedule/event/community_guidelines/
2. https://www.imdb.com/title/tt0250258/

Re: Call for experiences of Norbert Preining

[Daniel Pocock]

On 09/01/19 17:03, Ian Jackson wrote:
> Please search your communications archives.

I notice Norbert is somebody who goes beyond the core responsibilities
of maintaining packages, thinks about challenging social issues that
affect our community and looks for ways to communicate about them. 
Mistakes he may have made in written English pale in comparison to the
mistakes I've personally made in German or any other language that I
have dared to use in public but that isn't really relevant to somebody's
competence as a developer anyway.  Like all of us, he appears to have a
genuine concern for users of his work, even when faced with challenges. 
I don't believe I have ever met him personally at an event but I hope I
will some day.

> I will summarise and collate these reports.

I'd like to thank Ian for volunteering and Wookey for enhancing[1] the
concept.  Spending some time documenting and talking up the
contributions that other people make to this project could help provide
a way to address current and future challenges.

Maybe contributors.debian.org could be enhanced to allow people to write
ad-hoc reports about things they appreciate in the work of other
developers?  This would help build a nice record of contributions, a big
improvement over the practice of leaving "unavoidable traces in public
databases" as one developer recently put it.


On 09/01/19 17:43, Martin Steigerwald wrote:
> Thomas Lange - 09.01.19, 18:17:
>>> This reminded me about
>>> https://lists.debian.org/debian-project/2018/12/msg00025.html
>> For easier understanding, this is the post from Daniel with subject:
>>
>> "€ 500 cash bounty for information / Debian privacy breaches"
> Thanks for looking it up.
>
> I do not consider either of those helpful or ethically sound.
>
> For me it has something about denouncing people aka "please tell us how 
> bad this person has been".


There is a massive difference between the two cases:

This thread concerned an ordinary member of the organization, who had
not even been on the mailing list for almost a week and it was very
broad in it's aims.

In my post, about conduct of the DPL/DAM, I was holding power to account
and legitimately asking about breaches of privacy and also getting to
the source of gossip.  It was only posted after I already had good
reason to make the inquiry, it wasn't just some dragnet exercise to see
if anything was out there.  The intention was not to harm anybody,
rather, to prevent further harm.  It also helped in another way: nobody
has ever sent  evidence of DAM or AH leaking outside the project, so we
found out they were not the source.  It raises an interesting question
though: even though there was no evidence of DAM leaking outside the
organization, should they be more robust against political interference
in their processes?  Privately, they wrote that another person had "seen
a draft of the first mail we sent" and it appears that person was
responsible for the privacy breaches.

Some people noticed that Bits[2] from the DPL usually ends with a call
for people to email the DPL privately with their "concerns".  If this
style of communication/call-to-gossip is not what we want in Debian,
maybe that is the place to begin changing it?  Perhaps the next Bits
could finish with a call for people to speak to each other directly
instead of emailing the DPL/AH/DAM?

Regards,

Daniel


1. https://lists.debian.org/debian-project/2019/01/msg00180.html
2. https://lists.debian.org/debian-devel-announce/2018/11/msg7.html


--
Debian Developer
https://danielpocock.com

Re: Appeal procedure for DAM actions

[Daniel Pocock]

On 26/01/19 16:12, Sam Hartman wrote:
> reasonably, I think that he's reached a level of

The post wasn't intended to start a discussion about anybody specific,
it is about the procedure.  Please don't shoot the messenger.  This
tendency to make discussions personal, especially when somebody has a
raised a challenging issue, contributes to a lot of the bad vibes that
people subsequently complain about.

If my view of this procedure is pretty dismal, that's just because I
value the people who contribute to Debian and I don't think any of us
are disposable.  People are not packages and applying a `dpkg --purge
person` attitude for arbitrary political purposes or differences in
personalities in such a large organization is abhorrent.

To put it bluntly, when a volunteer receives a threat email with a bunch
of official-looking CCs, it feels like intimidation from gangsters.  It
is a disgrace for Debian to make that impression on people.

Another blunt assessment of the situation, which can be deduced from the
private emails: the DPL thought he could skip over meeting with people
and talking to them and tried to simply sweep them under the carpet with
6 month "demotions" that would leave them for the next DPL to deal
with.  To save himself maybe a couple of hours investing in
relationships, which is a basic responsibility of any leader, the DPL
has cost many people a lot more time and hurt some long standing
contributors in a bad way.

If Debian wants credibility rather than a kangaroo court, it is
essential to get the principles right, not only for fixing the current
mistakes but also to avoid a repeat of anything remotely like that in
future.  If I didn't think this process could be improved I wouldn't
have written about its flaws in such detail, so please don't accuse me
of failing to be constructive.

There have been numerous cases of communications breaking down with
various people recently so please don't continue to make personal
accusations or single people out.


> constructive discussion.  I think that Daniel's post would take a long
> time to respond to for a lot of us who have recently spent a lot of
> energy trying to work through some really hard issues.


Not everybody has seen all those details but snippets of it, like this
thread, have been selectively released into debian-project

This is another example of why the procedure is morally bankrupt: if the
DAM can take this guilty-until-proven-innocent approach, remove somebody
from the debian-private mailing list and then use that forum to promote
a version of events that the member can't see and rebut before a GR vote
then the vote is biased against the member concerned.

DAM can prove me wrong of course by guaranteeing that members subjected
to this procedure will continue having access to debian-private right up
to the end of any GR ballot on their membership.




> Here's why I don't think the post is constructive.  There are a lot of
> reasons why you'd want to have rapid action for handling situations
> other than questions of technical competence.  There are significant
> cases where maintaining the safety of the community requires rapid
> action.  There's a lot of thought put into antiharassment efforts that
> argues for fairly rapid resolution of issues rather than the long
> drawn-out processes that Daniel supports.


For the record: you mention "safety of the community", but there was
never any safety issue on the part of any of the people threatened, it
was purely politics[1], scapegoating and some misunderstandings.  The
only safety issue is the sending of threats and defamation by Debian
leadership figures.

My post is not opposed to rapid action.  I fully believe in rapid action
to engage with people and improve relationships in the community, for
example, people have asked[2] questions about mediation.  Or simply
meeting with people to talk about issues.

Rapid action that may hurt people is to be avoided.

Rapidly skipping over the former to attempt the latter is even more
disturbing.

Rapid action to find the cause of a problem is good too.  Rapidly
searching for a scapegoat or somebody to blame is not.

In a number of cases this year, I've observed the DPL jumps into issues,
and I'm even counting at least one technical issue here, where he takes
a side without even asking for all sides of the story.  In the technical
issue that comes to mind, he had actually conflated two different pieces
of work and formed an opinion about the discussion way too early.  In a
technical debate it may be possible to overlook lapses like that, but
impartiality and neutrality are essential when dealing with grievances
and personal disputes.

This is a challenge for anybody in the DPL role.  Sometimes I thought it
was just a "clearing the inbox" mentality at work, a DPL rushing to tick
everything off before the end of the day, giving every email a fast
answer rather than the best answer.

The type of DAM actions discussed in this and some related th

defamation - "is this true?"

[Daniel Pocock]

A number of defamatory emails have been circulated recently in private
in various communities, not just Debian.

A number of people have been very kind to forward them to the people
concerned and simply ask "Is this true?  Would you tell me what happened?"

An email sent on debian-private, or even encrypted to just one person,
can still be defamation.  To qualify[1] as defamation, it only has to be
seen by one other person.

Even something that might be true or is partially true can be
defamation.  How does it make you perceive the other person?  Examples:

- an email stating "this person did something bad, we have secret evidence",

- an email stating somebody was demoted or disciplined, especially when
the outcome is disproportionate and the author of the email may have had
some role in imposing that outcome,

- even the wide-reaching email asking for information about another
developer earlier this month is probably an example of defamation,
similar emails sent privately about any developer would also be defamatory,

People have a tendency to trust emails from those in positions of
authority.  In fact, it is correct to question those emails in exactly
the same way because even a small defamation by somebody in a prominent
role can do more damage than a big lie from somebody less well known.

I doubt that anybody wants to pursue a lawsuit for defamation, it could
even be perceived as another attempt at censorship.  If they did, they
probably already have more than enough material to do so.  Seeking out
the full story and letting people know you are one of those with an open
mind is simply the right thing to do and can help stop the rumours and
negativity more quickly.  So please continue to privately ask what is
behind those emails.

Regards,

Daniel

Re: Proposal: mediators

[Daniel Pocock]

On 08/01/19 15:47, Sam Hartman wrote:
> I think that rather than writing down a procedure like this it would be
> better to  get some success cases of trying something along these lines.

There appear to be some excellent opportunities available to try this.

It also appears to be better than having a GR or a series of GRs.


> So, for example, I'd recommend that you and people who have similar
> views volunteer to be available as mediators.
> Once people use your services, and you have some practical experience
> then worry about writing it up.
>
> I am interested in mediation  but my approach is very different than
> yours.



I'm not going to weigh in on which approach is best.  The only hard rule
and most fundamental prerequisite for mediation to start is that the
person running the process is perceived to be neutral by all sides.

Given my own comments and request for information recently and my former
role as a representative in FSFE, many people have contacted me
personally to share stories about intimidation in free software
communities.  There is a common pattern across multiple communities and
it appears to apply to all those specific cases discussed recently in
Debian:

a) without blaming any side, there appear to be problems in the
relationship that have been well known for some time.  There was simply
no reason to suddenly pounce on people like this.

b) the relevant people actively attend events (e.g. DebConf, MiniDebConf
and other free software events) where nobody makes any attempts to
discuss any concerns or improve the relationship.  Even if the
relationship is uncomfortable or if the person concerned doesn't attempt
to make contact, I personally feel it is a responsibility of leadership
figures to take the initiative although in recent cases, other people
have taken initiative through 2018 and leadership figures have actively
declined opportunities for meeting or mediation.

c) at some random moment afterwards, a person is sent a long written
list of perceived failings, usually with threats or punishments.  These
emails are usually CC'd to multiple addresses which adds to the feeling
of intimidation and bullying for the person who receives the email. 
Let's face it, do you take this approach in any other relationship?  For
example, would you just send an email to your neighbour one day with a
long list of things they did wrong over the 10 years they have been
living beside you?  Would you send a list like this to your spouse?  Why
does Debian do this to members?

d) this hostile approach is reflected in subsequent communications by
all parties, making the environment even more awkward for all parties
and the wider community

This is not just happening in Debian.

I feel that just about any approach to mediation would improve upon the
pattern people are describing.

The formation of the antiharassment team suggests there is some
enthusiasm for having some dispute resolution capability in Debian.  It
appears that these unsuccessful approaches are being improvised because
of a lack of training and experience in dispute resolution.  I would go
as far as saying that spending money on training a number of people to
implement best practice and improve the culture may be a better use of
funds than something like Outreachy (USD 20,000 per year) as bringing
these capabilities into the organization may do far more to create the
culture required to solve the Debian diversity problem.

One of the people concerned actually contacted the DPL in March 2018 to
try and improve discussion:

"It seems we are both sometimes disappointed with the communications
between ourselves.  We both believe in the same things and we both
believe in the integrity and reputation of the Debian project. Maybe the
mode of communications isn't ideal.  Could it be better for us to find
an opportunity to discuss things in person perhaps?  I am usually in the
UK"

and the DPL has repeatedly declined any discussion.  It is not clear to me how 
the DPL can be qualified to give opinions about members of the project when he 
doesn't have time to talk to a member directly first.  What is clear is that a 
lot of time could have been saved for many people if more value was placed on 
having such meetings.

The appeal process recently discussed appears to be unsuitable.  There
is at least one showstopper which I have documented[1] in that thread. 
If people understand that the appeal process is unsuitable and may never
be used, that leaves the organization to choose between mediation or a
GR.  DAM could also save everybody a lot of time if they choose to
pre-empt that discussion, roll back and arrange mediation.

Regards,

Daniel

1. https://lists.debian.org/debian-project/2019/01/msg00231.html

Re: Appeal procedure for DAM actions

[Daniel Pocock]

On 07/01/2019 23:27, Joerg Jaspert wrote:
> Hello everyone,
> 
> One of the things that emerged from the recent discussions around DAM
> actions is that we are missing a way to review or appeal DAM's
> decision.  Currently the only way to do this is running a full-featured
> GR, with all the negative side effects such a process has.
> 
> While a GR is a constitutional right, and the procedure we lay out here
> does NOT take that away, we feel there is a need for a less drastic
> procedure that would allow double-checking of DAM actions without
> escalating into a project-wide dispute.
> 
> With this message we define a way to appeal a DAM action, that balances
> between involving other members in the review, and ensuring that we have
> sufficient independent oversight.
> 
> Although this defines a pretty strict timeline for the procedure to
> avoid a long-running process, we waive the time limit defined in §1 for
> the cases from the last 6 months.
> 
> 
> 
> 1. Appealing DAM decisions
> --
> Any person who had their Debian membership suspended or revoked by DAM
> may appeal the decision. They must request the appeal within 30 days,
> stating why they disagree with the decision in a mail to DAM. DAM will
> notify the New Members Committee (NMC)[1][2] and Front Desk.
> 
> The original action taken by DAMs remains in force during the appeal.
> 

Happy Australia Day everybody.  Please take a moment to review the
Wikipedia definition[0] of a kangaroo court, many people have privately
commented on the irony of kangaroo courts in this situation.  Various
points stand out and care is needed to avoid the perception that this
type of thing happens in Debian:

"proceedings are often held to give the appearance of a fair and just
trial, even though the verdict was already decided before the trial
actually began"

"A kangaroo court could also develop when the structure and operation of
the forum result in an inferior brand of adjudication. A common example
of this is when institutional disputants ("repeat players") have
excessive and unfair structural advantages over individual disputants
("one-shot players")"


The way that DAM has been making decisions without consulting the
members in question is a "shoot first ask questions later" approach.
Making a decision and asking people to appeal suggests they are "guilty
until proven innocent"

In the case in 2016, the member concerned was given 48 hours to answer
questions.  Most DDs would struggle to respond in that period,
especially if they were on vacation or had other deadlines for their job.

Now DAM appears to have abandoned even that hint of due process and
decided that they don't even need to give that 48 hours.  It is as if
people are being unceremoniously dumped out the back door.

The process needs to be much more reasonable, perhaps 90 days at each
step and not even making a first decision without reasonable time.  The
process for accepting a member generally takes quite some time so it is
contradictory to have this lightning-strike expulsion process.

How can a decision that may unfairly impact somebody's work and
reputation be implemented before the member has exhausted all
opportunities for appeal?

If the reason is due to urgent questions about technical competence, DAM
have another option: they change somebody's status from Uploading to
non-Uploading developer.  The member remains a member in the sense that
they can vote and their reputation is less likely to be jeopardized by a
decision that hasn't been confirmed by a full process.


> 
> 2. DAM statement
> 
> Within 72 hours DAM will provide a statement to the NMC and the appealer
> with their reasoning for the account status change.
> 


Why the NMC?

Why not consider having an elected membership committee?

With the current proposal, DAM can watch the way that NMC evolves over
time and choose to make a decision at a time when they think the current
members of NMC are likely to support the decision.

This is one of those "structural advantages" of a kangaroo court.


> DAM may also send additional material to the NMC only, encrypted to the
> individual members, if they deem it necessary for the case, and if
> presenting this to a wider public might cause issues of confidentiality
> for involved third-parties. The NMC members are expected to avoid
> disclosing this material to anyone else, including the appealer.[3]
> 

The presence of secret evidence is a showstopper here.

Another one of the "excessive and unfair structural advantages over
individual disputants" that typifies a kangaroo court.

If a member goes to a GR, they won't be contending with any secret
evidence because everybody (the member and the rest of the community)
will be working off the same public evidence and the member will be able
to challenge any of it as necessary.

In the current situation, "evidence" that is 100% d

Re: Cyberbullying (was: Censorship) in Debian

[Daniel Pocock]

On 28/12/18 07:42, Charles Plessy wrote:
> Le Wed, Dec 26, 2018 at 05:35:38PM +0900, Charles Plessy a écrit :
>> Whether DD -> DM demotions will happen again and are going to become a
>> new tool for solving social conflicts is an important decision that
>> needs an open discussion where conesnsus is being sought.
> Unsurprisingly there are monster threads on explusions on
> debian-private.  Parts are specific to some people, and parts are about
> procedure.  I am not going to read the threads, because I do not want to
> be bound to secrecy about the discussion on the procedure.


Anybody with any experience of cyberbullying or harassment wouldn't
simply cringe at this, they would be looking on in horror at the very
existence of these "monster threads" in a community that is so
influential and respected as Debian.

Please take a moment and think about what is the worst that eventually
happens when a community (or it's leader) abuses members in this way
indefinitely.

https://cyberbullying.org/cyberbullying_and_suicide_research_fact_sheet.pdf

The people who unleashed this monster need to take responsibility.  They
have created and sustained this state of hostility, since 20 September,
every other wayward communication that has come up is a consequence of
that.  No member of this community should ever have been expected to
bear such a heavy burden.

Stop this now.  Make sure it never happens again in Debian.  It is that
simple.

Regards,

Daniel

--
Debian Developer
https://danielpocock.com

Re: anti-harassment team membership concerns

[Daniel Pocock]

On 27/12/18 12:04, Jonathan Carter wrote:
> On 2018/12/27 06:56, Daniel Pocock wrote:
>> Specifically, I notice that Molly recently joined the team and she is
>> also a member of the Outreach team.
>>
>> This is not a personal attack on Molly, I simply believe that for
>> various reasons being in both teams at the same time is incompatible for
>> anybody.
> That's a rather big statement to make and unless I missed something, you
> didn't really explain why that's the case. AH and outreach isn't
> inherently incompatible and neither are there any conflict of interests.


Having seen examples of different situations in private, having been
GSoC admin twice and also having been in various representative
positions where people come to me with grievances I feel comfortable
making that statement from experience.

It is also potentially quite a strain on somebody to do AH or any
welfare-oriented role properly.  I would hate to see the AH team make a
mistake with somebody because they have multiple demands on their time,
especially the demands of GSoC deadlines.

It can be quite rewarding if you succeed in earning people's trust on
all sides and achieving win-win outcomes but even when you get the best
possible outcome in a dispute, you can still go away feeling drained.

Regards,

Daniel

Re: anti-harassment team membership concerns

[Daniel Pocock]

On 27/12/18 12:30, Pierre-Elliott Bécue wrote:
>
> Yet you fail to provide a shred of evidence here. My first guess would be
> that you don't have any.


In the case of this anti-harassment thread, as I clearly stated already,
it is not about evidence and is not about Molly personally, it is about
whether or not the roles are logically compatible.  That is independent
of the other integrity issues.

I posted evidence on the other thread where it belongs.

Regards,

Daniel

Re: (evidence) conspiracies and character assassination

[Daniel Pocock]

On 27/12/18 07:39, Geert Stappers wrote:
> } He threatened to ...
>
> Next time such thing happens, ask for clarifycation.
> To get sure the recieved "threat" was transmitted as threat.
>
> Adding a "why?" does help.  Doing something with an answer to the why
> will get both parties further.
>
>
> Cheers
> Geert Stappers
> DD
> Who is recieving the "repair attempts" as further damage


Please reflect only on Lamb's statement[1] where he tells me, in front
of the whole community, he has "been nothing but scrupulous and
gentlemanly with regards to your personal privacy".

To jog Chris Lamb's memory, I post the non-defamatory part of a message
below.  I feel my decision to post a bounty for information is entirely
vindicated.

There are two breaches of trust:
- the information he disseminated from DAM on 20 September, as
demonstrated below
- the statement[1] where he publicly denies it on 21 December

When a leader makes a denial to the whole community, in such
circumstances, it undermines confidence in information and decisions
from Debian, undermines people's willingness to trust them (or Debian)
with private information and this erodes their ability to perform their
role.

Regards,

Daniel


Subject: Daniel Pocock & Debian
From: Chris Lamb 
Date: 20/09/2018
CC: lea...@debian.org



Please note that this was communicated to him privately, leaving any
disclosure to his decision and discretion.





1. https://lists.debian.org/debian-project/2018/12/msg00021.html

Re: conspiracies and character assassination in the name of Debian?

[Daniel Pocock]

On 27/12/18 11:17, Martin Steigerwald wrote:
> Dear Daniel.
>
> Daniel Pocock - 27.12.18, 05:41:
>> On 21/12/18 09:25, Jonathan Dowland wrote:
>>> I agree with Russ that your framing of this is absolutely abhorrent.
>>> Your continued justification of it is digging a bigger hole. I beg
>>> you, please take a step back and reconsider your approach here
>>> before continuing along these lines.
>> There is clear evidence of character assassination.  I'd like to thank
>> all those who responded after my cash bounty offer.  Once again, I
>> regret that we are in this situation where such methods are
>> necessary.
> I do not intend to comment on the other stuff discussed here, … as I 
> clearly do not have a complete picture of what is going on, just 
> fragments.
>
> However, I see setting bounties for "denouncing" people as harmful to 
> the Debian project.

Let me make it absolutely clear: the bounty is not for denouncing
people, molesting them or any other bad behaviour.  The bounty was
offered as a request for factual information, for example, copies of
emails and documents.  To make an analogy, a bug bounty is not paid for
cutting off the head of the developer responsible for the bug.

I emphasized the need to reply privately: in other words, no money has
been offered to publicly attack anybody.

Before offering the bounty, I already knew enough about the situation to
know it was more than wild speculation.

Another benefit of this bounty was getting facts that clear the names of
people who did not disseminate private or disparaging information.  The
person who disseminated information, Chris Lamb, owes an apology to DAM
and AH for bringing the integrity of their processes into disrepute.

> From what I see it would be most beneficial if the people who are 
> involved would just meet and speak about it from person to person or at 
> least in some kind of voice conference call. Maybe with a help of a 
> mediator, who is clearly not involved with the issue to be cleared up.

That is excellent advice, in fact, I tried it well before offering the
bounty.

This is what I wrote to Chris Lamb in March 2018

"It seems we are both sometimes disappointed with the communications
between ourselves.  We both believe in the same things and we both
believe in the integrity and reputation of the Debian project.

Maybe the mode of communications isn't ideal.  Could it be better for us
to find an opportunity to discuss things in person perhaps?  I am
usually in the UK once per month, usually around Herts, currently I'm
here until Thursday."

Lamb has told me throughout this year he hasn't had time. Yet documents
I received show me he found time to spread gossip. What is a better use
of a leader's time, meeting a developer face to face or speculating
behind their back at a time of personal tragedy?  What is more likely to
protect the project's reputation and what is more likely to backfire?

Regards,

Daniel

anti-harassment team membership concerns

[Daniel Pocock]

Hi all,

I have serious concerns about the current membership of the
anti-harassment team.

Specifically, I notice that Molly recently joined the team and she is
also a member of the Outreach team.

This is not a personal attack on Molly, I simply believe that for
various reasons being in both teams at the same time is incompatible for
anybody.

At this particular moment, we also had some communications issues in the
GSoC team in 2018 and on that basis, I don't feel it would be
appropriate for any member of that team to suddenly transition to
anti-harassment.  No individual member of the team deserves to be blamed
or scapegoated for that, all members of the team have some
responsibility for it.  So this is not specific to Molly, we would all
be ineligible.

It just makes me feel really uncomfortable when one member of the
Outreach team might have been used as a scapegoat to sacrifice on the
high alter of Google and another attends the GSoC mentor summit and then
immediately jumps to anti-harassment like this.

Anti-harassment might also have a role to play if somebody wants to make
a complaint about Google's influence.  Can somebody who attended the
summit at Google's expense be part of that discussion?

Generalizing the problem, I suggest that anti-harassment may need to
keep track of conflicts of interest, e.g. anybody involved in any other
team that experienced a complaint or a dispute probably shouldn't join
anti-harassment for some period, maybe 12 months or more, after the
complaint was closed.

Without such protections, it may appear that certain people are immune,
being favoured or that they get access to restricted information about
people they work alongside in another team.  I'm not alleging this is
the case with Molly but that is the perception that would arise in any
situation like this.

Regards,

Daniel

--
Debian Developer
https://danielpocock.com

conspiracies and character assassination in the name of Debian?

[Daniel Pocock]

On 21/12/18 09:25, Jonathan Dowland wrote:
> I agree with Russ that your framing of this is absolutely abhorrent.
> Your continued justification of it is digging a bigger hole. I beg you,
> please take a step back and reconsider your approach here before
> continuing along these lines.
>

There is clear evidence of character assassination.  I'd like to thank
all those who responded after my cash bounty offer.  Once again, I
regret that we are in this situation where such methods are necessary.

The purpose of the culprits is to promote fear, exert control over
others, induce self-censorship, damage relationships around a developer
during a time of acute personal tragedy and coerce somebody to explain
what went wrong in a project by releasing details about their private
life or punish them for not disclosing those details.

The intention to induce self-censorship is particularly disturbing as it
was timed immediately before the FSFE annual meeting (AGM).

In fact, Matthias Kirschner at FSFE had already tried to have the
elected representative, myself, removed in an obfuscated motion in May
2018.  That vote failed.  He spread a malicious lie about me as a way to
have another vote.  He circulated the libellous accusation to many other
people.  He threatened to expel me from FSFE without any evidence.  He
set a deadline for 20 September for me to respond, just before the AGM
on 7 October.  The series of abusive emails from people in Debian
commenced just hours before the Kirschner / FSFE deadline.  Under this
overbearing abuse, I felt I could not go on in my role at FSFE and
resigned in disgust.  Long live democracy.

To remove any ambiguity, I resigned in disgust, not in disgrace. 
Resignation in such a situation is an act of protest and defiance. 
Kirschner continued to send me threats even after my resignation, that
reveals everything you need to know about FSFE's culture.

Given the circumstances, the smell of conspiracy is like that of a dead
animal who's long dead carcass we will imminently discover.  I'm already
contemplating the size of another cash bounty, this time, for somebody
in FSFE to talk.  Would it be worth it now that the FSFE fellowship has
imploded, is FSFE a dead duck anyway?

Chris Lamb, would you be willing to sign an affidavit, swearing on risk
of perjury, that you never had any conversation with anybody at FSFE
this year about the elected fellowship representative, myself?

FSFE censored communications of the elected representative, including my
blog and mailing list posts, well before I actually resigned.  That was
one of the things that immediately came back to me in December when I
saw Norbert's blog vanish.  Is Debian now following FSFE down that
slippery slope?

I'm not the one putting these presents under the Christmas tree, I'm
just the one opening them up.

I understood the attacks I received since September were a veiled threat
to attack my reputation and thereby exert control over me.  It is
character assassination++

Also, the similarities with Khashoggi are increasing: even though there
is no bone saw, the culprits acted with great arrogance, they left a
trail that has been a little bit too easy to pick apart and they take us
all for fools with public denials and lies.

The most striking legacy of such plots are not the empty chairs, it is
the fear in the community.  Whether the abuse is delivered by physical
or electronic means, the perpetrators want to send a message that the
next person to speak up will have nowhere to hide, deterring them from
speaking at all.  I make no apology for this analogy, if any of you had
been put through hell by such intimidation you would be equally outraged.


On 25/12/18 17:13, Norbert Preining wrote:
> There are more disturbing things going on where I suspect that members
> of Debian have taken unduly influence on procedures concerning me, but
> since I don't have proofs I cannot raise them here.

Norbert also appears to suspect that he is a victim of libel and
character assassination.

Such things are always abhorrent.  But when somebody uses a leadership
position to conduct such behaviour it is extraordinarily reprehensible. 
For the victims, it makes us feel like the weight of the whole
organization is being weaponized against us when a leadership figure
behaves like this.  It also means the damaging effects of the lies are
felt a lot further away and it is harder to undo them.  It forces us to
expose the person who spread the lies for their complete lack of integrity.

People raised concerns privately about why this is being brought up at
Christmas.  That is because the hole was already dug in September when
Chris Lamb sent an email to people, the name of a developer in the
subject line.  It caused some alarm for people.  They are not native
English speakers and some naturally assumed the worst.  The email
contained private information from DAM, breaching the trust of DAM.  It
was clear that this email would cause harm and it is unfo

Re: Censorship in Debian

[Daniel Pocock]

On 24/12/18 10:13, Marcin Kulisz wrote:
> On 2018-12-23 20:58:08, Bernd Zeimetz wrote:
>>
>> On 12/21/18 10:02 AM, Raphael Hertzog wrote:
>>> Norbert seems to have stepped back in response:
>>> https://lists.debian.org/debian-tex-maint/2018/12/msg00019.html
>> Getting your DD rights being removed from DAM is probably not what you
>> would call a step back in your free will. He was forced to do so.
> I didn't know about that and I have to say it makes me feel disturbed, a big
> time, and yes I'm aware of the most of this story.
>
> I wrote a bit longer post but looks like I kind of self censored it and this 
> is
> not making me happy either.


People asked privately why I'm fighting for Norbert.  I raised this for
everybody who feels this apprehension, it is not just about Norbert.

If anybody else in the community feels any apprehension about what they
can do or say, or communications they received from Debian leadership,
or if anybody feels they have something they can't discuss with the DPL
or AH team at the moment, I would volunteer to speak to you privately
about it.

Maybe Debian can follow a fine example from FSFEland and formally allow
the community to elect a representative, somebody who's mission is to
think of the developers/volunteers first?  My bulletproof vest is still
partly intact from my own efforts to do so in FSFE and I would gladly
put it under somebody else's Christmas tree tonight.  While we elect a
DPL, that role has many of the attributes of a manager/boss, not a
representative and whoever is in the role, their mindset is affected by
that.

Regards,

Daniel

--
Debian Developer
https://danielpocock.com

Re: €EUR 500 cash bounty for information / Debian privacy breaches, let go

[Daniel Pocock]

On 23/12/18 21:53, Geert Stappers wrote:
> On Sun, Dec 23, 2018 at 09:51:03PM +0100, Daniel Pocock wrote:
>> I don't want to risk spreading fake news or "generalizations".
>>
>> I'm offering a EUR 500 cash bounty for evidence about the privacy violation.
>>
>  
> Let it go
> Let it go at least for a now
>
>

I assure you, nobody is more disturbed by all this than me.  I'd be
delighted to see it stop.

In August I advised I would cut back on certain things, for example, not
doing GSoC admin[1] next year.

Other people couldn't let it go, they decided to resurrect various
issues recently in a multitude of different ways, stirring up a state of
hostility.

I've written to Chris Lamb privately on several occasions asking him to
meet with me and put it to rest.  So please don't blame me, I very much
want to see the current problems end.

Regards,

Daniel

1. https://lists.debian.org/debian-outreach/2018/08/msg00108.html

€ 500 cash bounty for information / Debian privacy breaches

[Daniel Pocock]

Hi all,

Chris Lamb has recently suggested[1] that I provided "an entirely
misleading characterisation of the situation"

He then reassures me he has "been nothing but scrupulous and gentlemanly
with regards to your personal privacy"

I don't want to risk spreading fake news or "generalizations".

I'm offering a €500 cash bounty for evidence about the privacy violation.

The first person to send me the proof privately (not on the mailing
list) receives the bounty.

To qualify, the proof needs to show how private information was
transmitted or leaked by the Debian Project Leader, antiharassment team
or account managers team to anybody else outside those teams or not
members of Debian.  It could be private information about  decisions,
any member of the Debian community or anybody else who interacted with us.

My priority is the root cause of this leak.  I don't wish to hold a
grudge against, name or pursue people who received the information and
then repeated it.  If you did repeat the information, you are still
eligible for the bounty but please don't repeat it again.

It is also important for the breach to be resolved internally so please
don't republish the information on this mailing list.

If you wish to remain anonymous, you are welcome to do so.

Having been promoting Debian for over 20 years, I'm disappointed to be
in a situation like this.  Integrity is priceless though.  For
everything else, there is now a €500 bounty.  If reasonably possible, I
will deliver it in person.  Getting to the truth is in the best
interests of the community and the Debian operating system.

Regards,

Daniel


1. https://lists.debian.org/debian-project/2018/12/msg00021.html


--
Debian Developer
https://danielpocock.com

Re: Censorship in Debian

[Daniel Pocock]

On 21/12/18 00:48, Steve McIntyre wrote:
> On Thu, Dec 20, 2018 at 11:18:51PM +0000, Daniel Pocock wrote:
>> If people want to pursue an anti-harassment objective in good faith,
>> then please start by realizing the existing team and their approach
>> needs careful examination, they need to make it a priority to put at the
>> front of their mind the welfare of every single person they come into
>> contact with, even if they don't understand or can't related to that
>> person's behaviour and they probably need to engage outside expertise
>> both for the benefit of the community and their own state of mind.
> Have you actually epoken to the anti-harassment team to enquire about
> their actions and supporting evidence before calling their methods and
> motivations into doubt here?

I've read their reports and made various observations.  As I was also in
a representative role in another organisation, I also received reports
of various kinds from time to time so I empathize with some of the
challenges they face.

Putting the evidence I've seen in a public list would be disrespectful
and a breach of trust.  Nonetheless, I confirm to the community that I
have seen enough (and I'm not referring to any communication they sent
about my own participation) to feel that some people are being left with
an unnecessarily bad feeling after interactions with the team and that
is a risk to the project.

> Also: not wishing to pile on, but I also believe that you linking
> assassinations to the actions of the a-h team is downright toxic and
> you should apologise.
>

I regret that people are focusing on that comment and a-h alone.

Nonetheless, the strength of my concern is the same.  Putting it in
perspective, in July, I indicated privately to the leader of our
project, Chris Lamb and also to Google that some extraordinary personal
circumstances had an adverse impact on my role as a mentor in GSoC this
year.  Google suggested simply taking a rest from the program, which was
hardly unreasonable in the circumstances, while the DPL became
frustrated, started making disparaging comments to other people about my
competence and I feel he has become increasingly vindictive towards me
in private.  A-H have seen some of that and done nothing to intervene.

Given those recent circumstances, which I have every right not to
discuss on a public list, there is probably nothing more extreme,
callous and harmful that Debian could do than removing my key from the
keyring on the night before what was the anniversary of being married
(in the civil sense).  Somebody then slapped it in my face again with an
offensive post on Planet the night before my birthday.  Norbert's post
to planet barely comes close to something like that.

If this project, through its leader, can be so out of touch with human
decency to treat a developer with such extraordinary disrespect and
contempt at a time like that then please don't groan too soon at my own
reactions to the latest goings on.

Notice that all of the above took place more than two months after the
original disclosure I made to the DPL but just days after SPI confirmed
receipt of $17,000 from Google, in other words, giving me the feeling
that Debian (or simply Lamb) had deliberately exploited and used me
until all GSoC loose ends were tied up and then put me out with the trash.

At a time when a remotely normal community might have showed some
compassion and support, Debian/Lamb continue to sustain this state of
hostility, forcing me to recall all of the above on a daily basis for a
number of months now.  So I apologize if my own communications might
have become a reflection of those very low standards of leadership that
I encountered here.

When I see the possibility that other members of the community are being
trampled on now, I simply assume the leadership is getting it wrong
again.  I would hate for anybody else to be put through what Lamb has
done in my situation.

Regards,

Daniel

Re: Censorship in Debian

[Daniel Pocock]

On 20/12/18 23:46, Russ Allbery wrote:
> Daniel Pocock  writes:
>
>> and I reply with the strongest possible evidence, personal experience
>> and scientific research.
> You decided to distort a political issue that many of us feel strongly
> about to attack a policy around what to republish in project-owned forums,
> which is only on a continuum with that issue if you look for it with a
> telescope.  You did this in a way designed to provoke strong feelings and
> create moral absolutes rather than start a conversation, and you did this
> knowing full well that you were attacking a specific team inside Debian
> composed, like all Debian teams, of overworked volunteer members.  You did

Please don't misrepresent me like that.  I am not calling on anybody to
attack any team, I'm calling on people to be assertive in defending
Norbert and other individuals who have been singled out.

> this without the slightest attempt to extend an assumption of good will or
> allow for the possibility there are further things going on that you don't
> know about, and you did so with such pathetically sloppy and incomplete


The fact that people don't know about certain things going on suggests
the project leadership is deviating from the social contract.  Let's get
the policy about Planet in the open or choose to have two Planets, e.g.
"planet-curated.debian.org" and "planet-uncensored.debian.org" and each
person can choose which one they want to read.


> research that even *I* know you are leaving out substantial background,
> and I haven't been trying to follow this saga.
>
> In other words, you immediately turned the temperature up as high as you
> could go and called on other people to attack your fellow Debian
> developers on the grounds that their work is a violation of UN-recognized
> human rights (!!).

Other people have chosen to turn up the temperature.  I felt my post was
both restrained and lukewarm in comparison.

I can see that this has been both shocking and surprising to some people
and I sincerely regret that.  I would ask you to consider it from my
point of view and from some of the abusive communications I have
received recently, they are the things that have established my frame or
reference right now.


>
> That you cannot understand how completely absurd this is means that it is
> futile to try to argue this point with you on the merits.
>
> There *is* an underlying project debate here that is a real debate, namely
> the rules for participation and republication in project forums.  I think
> it's a debate we've had to the point of absurdity, but I'm not horribly
> surprised that people want to still have it, and if that had been all your
> message had been, I would have sit on my hands and not added to the noise.
>
> But you saw an opportunity to artificially strengthen your debate stance
> by comparing the Debian anti-harassment team to assassins (!!) and you
> seem completely oblivious to why this is utterly unacceptable in
> collective discussion within a project of colleagues, peers, and friends.

Without going into detail, the actions of certain figures over the last
3 months are in no way comparable to those of colleagues, peers or
friends.  The people who initiated those communications have set the
tone for this debate through their arrogance, impatience and ego, not me.


> I have no idea personally what set off Norbert's removal from Planet
> Debian.  When I said irrespective of the merits of your argument, I really
> meant that.  But *this* bothers me far more: this kind of brutal approach
> to Debian politics is hostile, nasty, and deeply hurtful to the project.


ditto for the messages certain people have sent to me and other volunteers.

Given my own personal circumstances this year, "deeply hurtful" is very
much an understatement when assessing certain communications I received,
especially considering their timing.


> If you want to have a debate about the decision of a team in Debian, you
> have an obligation to the project to conduct that debate with a certain
> basic level of mutual respect.  Asking you to not compare your fellow
> project members to assassins does not seem like a high bar!  If you aren't

The bar has been taken even lower than you think and I am not the one
who put it there.

It is in our social contract that we do not hide our problems but I
would ask people to forgive me for not laying out the sheer brutality of
it in all it's gory detail right now.  Doing so would compromise the
privacy of multiple people outside the project.

> going to do that, I for one am quite happy to make this argument about
> *your* behavior, which was appalling and utterly toxic to supporting the
> community of a volunteer collective project.

Please don&#

Re: Censorship in Debian

[Daniel Pocock]

On 20/12/18 22:14, Russ Allbery wrote:
> Daniel Pocock  writes:
>
>> I was recently at the UN forum on business and human rights, listening
>> to an Iranian dissident talk[1] about the extremes that his country goes
>> to in censoring and silencing people who don't agree with their rulers. 
>> I would encourage people to watch the video.
>> At that very same moment, the anti-harassment team were censoring[2] a
>> Debian Developer's blog from Planet Debian.  Chilling.
>> I actually looked at Planet shortly after attending that panel
>> discussion and immediately noticed that Norbert Preining[3] had been
>> censored.  Disappearances of Khashoggi[4] and Kamphuis[5] came to mind.
> Entirely apart from the merits of the rest of your discussion of whether
> the project should republish this blog using project resources, this

If people want to clarify the way Planet can be used, they can create a
policy and maybe put it to a vote.  Retrospectively sanctioning people
without strong grounds based on policy is not right though.

People may expect a newsletter or another official publication to be
curated to some degree but I always had the impression that both Planet
and packaging are at the discretion of the individual developers. 
Personally, I welcome the diversity of views there and if it is going to
be curated now, I would volunteer to host an uncensored alternative to
Planet for those with similar feelings.

> framing is appalling and blatantly dishonest.  It intentionally conflates
> issues of government censorship and journalistic freedom that have cost
> people their lives with a dispute over whether Debian should *republish*
> content that has not been censored, restricted, or removed in any way, let
> alone been subject to threats of physical violence.
>
> I object in the strongest possible terms to this framing of your argument.
> You should be profoundly ashamed for choosing this path of malicious
> exaggeration phrased as an attack on the work of fellow developers.  It
> was completely unbecoming of a Debian project member.
>
and I reply with the strongest possible evidence, personal experience
and scientific research.

Having been rear ended by a utility van, thrown off a motorbike half way
across a roundabout and having also received abusive and threatening
messages from people within the Debian community, I feel that the
physical pain caused by the latter was more than the former.  Those
people should be ashamed of themselves.

Research confirms[1] this phenomenon.

If people want to pursue an anti-harassment objective in good faith,
then please start by realizing the existing team and their approach
needs careful examination, they need to make it a priority to put at the
front of their mind the welfare of every single person they come into
contact with, even if they don't understand or can't related to that
person's behaviour and they probably need to engage outside expertise
both for the benefit of the community and their own state of mind.

Regards,

Daniel


1.
https://www.huffingtonpost.ca/roger-covin/cyber-bullying-suicide_b_3996518.html

Censorship in Debian

[Daniel Pocock]

Hi all,

I was recently at the UN forum on business and human rights, listening
to an Iranian dissident talk[1] about the extremes that his country goes
to in censoring and silencing people who don't agree with their rulers. 
I would encourage people to watch the video.

At that very same moment, the anti-harassment team were censoring[2] a
Debian Developer's blog from Planet Debian.  Chilling.

I actually looked at Planet shortly after attending that panel
discussion and immediately noticed that Norbert Preining[3] had been
censored.  Disappearances of Khashoggi[4] and Kamphuis[5] came to mind.

At that moment, being surrounded by experts on human rights and freedom
of expression who may have far more experience than most of us in
Debian, I did a quick survey.  I couldn't find one person who supported
the actions of the censors.

Some of Norbert's blogs make people think, but they appear to be
overwhelmingly motivated by legitimate issues and his recent blog
thanking[6] Lars[7] appeared to end in an upbeat and sincere manner. 
Whether I agree with either of them or not, I'd like to take this
opportunity to wholeheartedly thank both Lars and Norbert for their
contributions as fellow Debian Developers and fellow bloggers.

Norbert had also made political statements[8] concerning the way codes
of conduct are used in our communities.  People who speak up like this
are frequent targets for political plots, protecting these people is
imperative.

Looking at Debian's code of conduct[9], there is no compelling violation
of the code in Norbert's writing.  Indeed, the only violation of the
code of conduct may be the act of censorship itself: the very first
point tells us "inevitably there will be people with whom you may
disagree, or find it difficult to cooperate. Accept that, but even so,
remain respectful."

Even without contemplating the code of conduct, censorship has a
sinister effect on discussion.  People notice when somebody disappears
and they become hesitant to speak about problems, whether they are
technical issues or social issues.  I feel compelled to speak up but as
I write this, I contemplate the risk that some people will try the same
tactics as the Iranians, censoring me, threatening me or dragging my
name through the mud.  If they try that, they may give each other a pat
on the back but they don't fool our community at large.

Nonetheless, article 30 of the Universal Declaration of Human Rights[10]
clearly states that no institution should act in any way to destroy the
rights enshrined in the UDHR.  The definition of an "institution" there
clearly applies to a group with the influence of Debian, it is not only
for states and courts.

Wake up, people.  If we are repressing members of our own organization
like this, we haven't got a hope in hell of achieving our mission[11]
for society at large.

The UN calls on us to "stand up 4 human rights" on this 70th anniversary
of that declaration.  You can do that now by standing up for Norbert. 
It takes minutes for anybody, Developer or not, to submit a merge
request in Salsa[12] to uncomment his blog.  You can also email the
Debian Project Leader, lea...@debian.org

If you know people in other organizations concerned with human rights,
discuss Norbert's case with them and get their opinion, just as I did.

You can't pick and choose human rights, having some freedoms and not
others, the declaration even implies this too.  Anybody who tries to do
that is on a very slippery slope indeed.

In my role as a representative in another organization and in my
extensive work with Debian, various people have approached me about
incidents of censorship and overbearing efforts to control participation
in the free software community.  It is far more widespread than many
people realize.  It only happens because people fail to speak up.  For
example, an FSFE volunteer was censored at 34C3 after distributing
leaflets questioning Google's funding to FSFE.  There is increasing fear
that "anti-harassment" efforts are being used as cover for political
agendas, they are operating in a bubble and diverging significantly from
what would be acceptable in any other organization or field of
endeavour.  They post big newsletters to debian-devel-announce boasting
about their work but many people feel those reports reek of gloating and
one-upmanship.

On a technical level, we may want to consider whether Planet is fit for
purpose: if we want to showcase best practice in creating a platform
where freedom of expression can thrive and remain immune to abuses,
should we simply make more efforts to migrate to a decentralized tool,
eliminating the risk that any subgroup or faction within Debian will be
able to carry on like that now or in future?

As somebody more famous once said, "I Disapprove of What You Say, But I
Will Defend to the Death Your Right to Say It".  I welcome responses to
this topic whether you share my concerns or not but if nobody cares
about this stuff, please tell me, 

Re: hacking a home with free technology and Debian

[Daniel Pocock]

On 02/10/18 19:23, Tollef Fog Heen wrote:
> ]] Daniel Pocock 
> 
>> Can anybody comment if they give a genuinely plug-and-play experience,
>> without needing firmware blobs or proprietary tools to get up and
>> running?  Or are there even better alternatives for the
>> freedom-conscious Debian user?
> 
> No experience with the Zigate, but I have the aotec z-wave stick and it
> works fine with other zigwave equipment. (I'm using home-assistant to
> drive everything, I don't think that's particularly important, it just
> uses the python libs.)
> 


Thanks for confirming this, I added a new section on the wiki[1] listing
Z-Stick and Zigate.

If nobody is sure about Zigate then maybe I'll just buy one, test it and
share my observations.

If anybody can suggest any other Debian-friendly option please feel free
to add it to the table.

Noodles blogged[2] about heating yesterday, it is really helpful.  As an
Australian in Europe, heating is at the top of my list too but my own
project is bigger and requires more zoning logic.  I'm currently tempted
to put the Oomi sensor[3] in every room, hallway, garage and loft and
use a wired valve, controlled by a Z-wave on/off relay, on every
radiator (there are 14 of them and it is still too cold).  Has anybody
tried anything like that, either with Domoticz, Home Assistant or any
other solution?

Regards,

Daniel

1. https://wiki.debian.org/HomeAutomation
2. https://www.earth.li/~noodles/blog/2018/10/heating-automation.html
3. https://www.vesternet.com/z-wave-plus-oomi-multisensor

Re: hacking a home with free technology and Debian

[Daniel Pocock]

On 15/09/18 10:40, Lucas Nussbaum wrote:
> Hi Daniel,
> 
> On 15/09/18 at 00:45 +0200, Daniel Pocock wrote:
>> Hi everybody,
>>
>> I've got an interesting opportunity to completely replace all the
>> sockets, lights, heating controls and appliances in my Dublin house with
>> things that are free or easily hackable.
>>
>> Which direction are other people in the Debian and free software world
>> going with such projects?  Searching the wiki, the only significant page
>> I found was a reference to X10 protocol[1]
>>
>> Other people have mentioned having some success hacking proprietary
>> devices that use Zigbee and ZWave.
>>
>> Can anybody comment on these or any other related technologies?
>>
>> Being more specific, at a bare minimum, I envisage having a small rack
>> with a Debian server, smart power sockets to control things like the
>> boiler and immersion heater and a range of lights around the house
>> controlled centrally.
> 
> My experience in the world of home automation is that, when selecting
> the technology (X10, ZWave, etc.) you should look at the whole chain:
> - whether you can find software to control it
> - whether you can find hardware to control it (typically a RF transmitter
>   device)
> - whether you can find end devices (switches, thermometers, etc.) that
>   do what you need
> 
> Whether the protocol is open or not does not matter much, unfortunately.
> What really matters is whether it has been sufficiently reverse
> engineered.
> 
> The fancy new technologies don't have that many end devices available,
> or they are fairly expensive. (Or you might want to design your own
> devices, but that's not something I was willing to do)
> 
> I've had some success with:
> - software: domoticz (not in Debian, but Debian-friendly, and there's an
>   ITP). I mostly use it through its REST API to automate stuff or get data
>   (into a munin plugin for example)
> - hardware controller:
>   + a USB ZWave dongle

Did you mean the Z-Stick[1] or another model?

Z-Stick is rated highly in reviews[2] and the web site claims it is
aimed at open source and cloud-averse users.


>   + RFPlayer, a multi-protocol gateway that understands many
>   (proprietary) protocols (but the firmware is closed source). There's
>   another one on the market with a different set of protocols, called
>   RFXCom


Another one I came across is Zigate[3] for Zigbee.  Like the Z-Stick, it
appears to eliminate the need for a proprietary hub or controller.  It
was crowdfunded and appears to originate in France.

Using Z-Stick and Zigate together appears to cover both major protocols.

Can anybody comment if they give a genuinely plug-and-play experience,
without needing firmware blobs or proprietary tools to get up and
running?  Or are there even better alternatives for the
freedom-conscious Debian user?

Looking at some alternatives, like XBee, I noticed they require[4] a
Windows tool for firmware management, this appears inconvenient.

Regards,

Daniel

1. https://aeotec.com/z-wave-usb-stick
2. https://buildyoursmarthome.co/reviews/best-z-wave-usb-stick/
3. https://zigate.fr/
4.
https://www.domoticz.com/wiki/ZigBee#Using_Digi.27s_X-CTU_.28XCTU.29_Software

Re: hacking a home with free technology and Debian

[Daniel Pocock]

On 15/09/18 10:40, Lucas Nussbaum wrote:
> Hi Daniel,
> 
> On 15/09/18 at 00:45 +0200, Daniel Pocock wrote:
>> Hi everybody,
>>
>> I've got an interesting opportunity to completely replace all the
>> sockets, lights, heating controls and appliances in my Dublin house with
>> things that are free or easily hackable.
>>
>> Which direction are other people in the Debian and free software world
>> going with such projects?  Searching the wiki, the only significant page
>> I found was a reference to X10 protocol[1]
>>
>> Other people have mentioned having some success hacking proprietary
>> devices that use Zigbee and ZWave.
>>
>> Can anybody comment on these or any other related technologies?
>>
>> Being more specific, at a bare minimum, I envisage having a small rack
>> with a Debian server, smart power sockets to control things like the
>> boiler and immersion heater and a range of lights around the house
>> controlled centrally.
> 
> My experience in the world of home automation is that, when selecting
> the technology (X10, ZWave, etc.) you should look at the whole chain:
> - whether you can find software to control it
> - whether you can find hardware to control it (typically a RF transmitter
>   device)
> - whether you can find end devices (switches, thermometers, etc.) that
>   do what you need
> 
> Whether the protocol is open or not does not matter much, unfortunately.
> What really matters is whether it has been sufficiently reverse
> engineered.
> 
> The fancy new technologies don't have that many end devices available,
> or they are fairly expensive. (Or you might want to design your own
> devices, but that's not something I was willing to do)
> 
> I've had some success with:
> - software: domoticz (not in Debian, but Debian-friendly, and there's an
>   ITP). I mostly use it through its REST API to automate stuff or get data
>   (into a munin plugin for example)
> - hardware controller:
>   + a USB ZWave dongle
>   + RFPlayer, a multi-protocol gateway that understands many
>   (proprietary) protocols (but the firmware is closed source). There's
>   another one on the market with a different set of protocols, called
>   RFXCom
> - end devices:
>   Zwave remove switches (beware of the max power they can handle if you
>   want to control your heater), Oregon thermometers, OWL energy monitor,
>   Zwave and Deltia Dore "pilot wire" devices (for electric heaters 
> controller),
>   roller shutters (note that there's two protocols on the market, and
>   only one of them has been reverse engineered).
> 
> 


Thanks to those who gave feedback already.

I created a wiki page to gather further ideas and links:

https://wiki.debian.org/HomeAutomation

On the radio protocols, I notice there are also some SDR-based solutions
emerging:

https://github.com/bastibl/gr-ieee802-15-4
https://stackoverflow.com/questions/31850928/manage-multiple-signal-speed-in-a-gnu-radio-flow-graph

Using a device like LimeSDR, could SDR be a way to achieve a completely
free software stack and also have multiple protocols on a single
transceiver?

Regards,

Daniel

hacking a home with free technology and Debian

[Daniel Pocock]

Hi everybody,

I've got an interesting opportunity to completely replace all the
sockets, lights, heating controls and appliances in my Dublin house with
things that are free or easily hackable.

Which direction are other people in the Debian and free software world
going with such projects?  Searching the wiki, the only significant page
I found was a reference to X10 protocol[1]

Other people have mentioned having some success hacking proprietary
devices that use Zigbee and ZWave.

Can anybody comment on these or any other related technologies?

Being more specific, at a bare minimum, I envisage having a small rack
with a Debian server, smart power sockets to control things like the
boiler and immersion heater and a range of lights around the house
controlled centrally.

Regards,

Daniel


1. https://wiki.debian.org/X10

Re: DocuTech in Prishtina June 9th and 10th

[Daniel Pocock]

On 23/05/18 12:16, Izabela Bakollari wrote:
> Hi Enkelena,
>
> The registration link at this discussion is for residents in Albania
> applying for reimbursement for their travel and accommodation costs.
> Attending DokuTech is for free and people not living in Albania and/or
> not applying for reimbursement should first register at the official
> website http://doku.tech/ 
>

Thanks Izabela, Enkelena,

I asked in the forum to clarify the procedure/link for speakers and
booths, the DokuTech page only has a link for the free visitor ticket
but I see an email address i...@doku.tech that people could try.

The Debian funding request procedure is here[1]

This is one of the biggest events in Kosovo and there are several budget
airlines flying to Prishtina (PRN) airport now, e.g. WizzAir and Easyjet.

Our local GSoC participants, FLOSSK[2] and Open Labs[3] communities may
be able to provide more information to anybody who wants to visit.

Regards,

Daniel


1. https://wiki.debian.org/Teams/DPL/Reimbursement#Who_will_reimburse_you
2. http://flossk.org/
3.
https://forum.openlabs.cc/t/dokutech-a-tech-conference-in-the-heart-of-the-balkans/1168/2

cataloguing Trusted Organizations

[Daniel Pocock]

Hi all,

On the list[1] of Trusted Organizations, I've added a column with the
financial year end.  I notice that all appear to follow a calendar year
which could be convenient for producing a consolidated balance sheet up
to 31 December each year.

The articles of each organization are in different languages (French,
German and Chinese) so if I've misunderstood any of them please correct me.

For future Trusted Organizations, I've added a list of technical
parameters[2] that would be very convenient for Debian to capture at the
point where they apply.  If anybody can think of other parameters that
belong on the list please feel free to add them.

It was pointed out to me that FSFE uses a list of points from
Transparency International[3] to publicise information[3].  Could the
same points be relevant for summarising the Trusted Organizations, or
are there alternative criteria that anybody prefers?

Regards,

Daniel



1. https://wiki.debian.org/Teams/Treasurer/Organizations
2. https://wiki.debian.org/Teams/DPL/TrustedOrganizationCriteria#Parameters
3. https://www.transparency.de/Initiative-Transparente-Zivilg.1612.0.html
4. http://fsfe.org/about/transparency-commitment.en.html

Re: [English] FOSScamp 2017 @ Syros, Greece

[Daniel Pocock]

>  in all our activities talk to women
>at the hackerspace about getting involved in Debian because they will
>get free travel to various events. It's a bit of cherrypicking, isn't
>it?
>
>Last reply from my side here.
>
>



I don't want to try and speak for women but if any woman does go to tech events 
for more than just "free travel" maybe they should have the last word on this?

>
>
>
>---
>[Visit
>Topic](https://forum.openlabs.cc/t/fosscamp-2017-syros-greece/459/39)
>or reply to this email to respond.
>
>You are receiving this because you enabled mailing list mode.
>
>To unsubscribe from these emails, [click
>here](https://forum.openlabs.cc/email/unsubscribe/dfa0f63bed32fb4b95a70a7d27e908bdec2318ef2fcb0d5d7bbe8b3f50957a1d).

Re: Debian Treasurer Team Sprint Report

[Daniel Pocock]

On 22/02/18 13:33, Hector Oron wrote:
> Debian Treasurer Sprint was held Feb 5th, 2018 in Brussels right after
> FOSDEM2018.
> 
> Attendees were Philipp Hug, Martin  Michlmayr, Mehdi Dogguy and Héctor
> Orón Martínez
> 
> The following topics were discussed:
> * Role of the Debian Treasurer team was reviewed. The team is
> comfortable with current delegation however there is currently a gap
> tracking assets (suchas trademarks and contracts signed on behalf of
> Debian). There is currently no plan on how to best track those.
> * DebConf e.V. status. Planned it's dissolution, it might still
> need about a year before it can really be shutdown.
> * Annual report. A rough balance and expenses were given out by
> most TO and we are very close to be able to prepare a very first vague
> report on current Debian financial status RSN.
> * Improvements on how to best gather data from TO were discussed.
> * Reimbursement process improvements were also discussed.
> Treasurer team had great feedback from Daniel Pocock on the matter.
> * Hardware acquisition process needs to be developed for Debian
> core teams to acquire what they need.
> * Annual financial planning. It was discussed that a yearly
> forecast of expenses would be a great to plan ahead so active
> fundraising could be carried on. Debian Tresurer team will work on
> estimating it and advising DPL and TO involved.
> * Cryptocurrency donations were discussed and we plan to enable
> those for bitcoin donations via Debian.ch, Bitcoin will be
> automatically converted to TO currency instead of keeping such asset.
> Debian.ch is kind to look into investigate enabling other crypto
> currency donations to Debian.
> 

Thanks for all these details

One small change I've made: there is now a table on the Reimbursements
page[1] with convenient mailto links, they try to create messages with
the correct recipient, CCs and subject lines for each type of request.
Maybe people can improve them to add a body template too.

If people like this idea, maybe the table can move to the top of the page.

People can create more bespoke mailto URIs and embed them in pages for
individual events too.

If anybody wants to beta test these links, you could try making a
request to come to the Tirana[2] BSP next weekend.  It could be a great
place to thaw out after the negative temperatures in Europe this week.

Regards,

Daniel


1. https://wiki.debian.org/Teams/DPL/Reimbursement
2. https://forum.openlabs.cc/t/debian-bug-squashing-party/722/45

Re: Debian activity in Albania, Debian Bug Squashing Party in Tirana

[Daniel Pocock]

On 27/01/18 02:51, Chris Lamb wrote:
> Dear Izabela,
>
>> We want to ask if there are developers to want to join us at the Open Labs
>> Hackerspace in Tirana, Albania.
> Thank you so much for the invitation! May I suggest adding it to the
> various wiki pages such as  etc.
> etc? :)

They have added it now:

https://wiki.debian.org/BSP/2018/03/al/Tirana
>
>> We might need some orientation during the event.
> Can you clarify what you mean by this, out of interest? :)

They will need some guidance on bug triage basics: things like reading
the changelogs, how and why to try and reproduce a bug on another
system, useful things to capture when a bug is reproduced (e.g. gdb or
strace output), submitting patches to the BTS

Regards,

Daniel

Re: On the Anti Harassment Team

[Daniel Pocock]

On 13/08/17 17:11, Margarita Manterola wrote:
> During DebConf17 there was a BOF about the Anti-Harassment team. You can
> find linksto slides, text, videoand collaborative pad of the discussion
> in our wiki page: https://wiki.debian.org/AntiHarassment.
> 
> We presented a status report of the issues that had been handled during
> the past year as well as invited participants to comment on some
> questions related to the team.  These are the conclusions from that
> discussion.
> 
> 1) Scope and Powers: the team is in charge of mediating between
> developers but doesn't have any actual powers, it can only recommend
> actions to other delegates (listmasters, DAM, etc), but it's on the
> delegates to take action. There are advantages and disadvantages to this
> model, but after discussing it, we ended up deciding to keep going as we
> are.

Even if the team doesn't have powers, is there an obligation for
delegates to refer less urgent matters to the team before taking action?
 Would such an obligation be useful?


> 
> 2) Activity reporting: we plan to do an annual or semi-annual report to
> the project, similar to the one presented in the BOF.
> 
> 3) Members: thejobthat our team doesis quite taxing and in order to be
> responsive we would like to have new members, and work on a rotational
> basis (i.e. two or three years of term, not forever) to avoid burn-out.
> Additionally, we believe that we need extra trainingto be better
> prepared to handling issues, this is something that we want to work on.
> 
> 4) Name: we find that "anti harassment" is not a great name both because
> it's negative and because it puts people on edge when we contact them. 
> We asked people to suggest other names.  The current best suggestion
> that we have is "Respect & Inclusion team" with resp...@debian.org
>  as the alias(not created yet).This
> discussion is still open and we welcome other suggestionsand
> ideas(contact us via antiharassm...@debian.org
>  ).
> 


Maybe something along the lines of Conflict Management, Dispute
Management or mediation would be more neutral?

As you point out, (Anti)Harassment has a negative feeling and it also
limits people's perceptions of what this team could get involved in.  In
some cases issues can be resolved by some kind of mediation before
harassment occurs.

I've seen some cases in other organizations over the last couple of
years where independent assistance was needed but it didn't appear to be
"harassment" when it was first noticed.  In one case harassment was
discovered but only after other issues.  In such situations, it is
useful to have the help of somebody neutral who can get to the bottom of
the issue, notice harassment if it does exist and be fair to people on
all sides.

While some situations are one-sided, others involve personality
conflicts, stress, life changes, mental illness or other things where
there is no "winner" or "loser".  Debian is already an outstanding
organization but being able to deal with such situations more
compassionately would make it more so and may be a compelling reason for
people to contribute to this team.

Regards,

Daniel

Re: Emeritus status, and email forwarding

[Daniel Pocock]

On 15/11/17 12:53, Ian Jackson wrote:
> Someone who was sort-of-MIA said on -private that they would like to
> keep their @debian.org email forwarding indefinitely, as they move to
> emeritus status.

One alternative that wasn't mentioned in this thread: what if Debian
stops providing @debian.org email addresses and phases out existing
addresses?

I'm not advocating this as my preferred solution, but it is useful to
have all options on the table in a discussion about the email addresses.

Benefits of deprecating all debian.org email addresses:

- less things for DSA to maintain

- less problems with forwarding from debian.org to other mail servers
that enable strict SPF policies[1]

- people would be forced to use (or create) some other email address for
their packaging work (debian/control, changelog) and these addresses
would still be contactable after they leave the project

Disadvantages:

- for people who want a distinct email address for their Debian
contributions, a little extra effort to create and monitor an extra
private email address for their packaging work

- existing addresses will still linger around for a long time

- the use of the debian.org addresses is a strong way for people to show
that they are doing things on behalf of Debian, the loss of this benefit
could be mitigated partially by using team addresses to send some types
of communication

Regards,

Daniel


1. http://www.openspf.org/FAQ/Forwarding

Re: Debian activity in Albania, Debian Bug Squashing Party in Tirana

[Daniel Pocock]

On 14/11/17 20:06, Izabela Bakollari wrote:
> Hi all,
> 
> The Debian community in Albania wants to organize a Debian Bug Squashing
> Party in December 2017.
> 
> We want to ask if there are developers to want to join us during the
> weekend of 16-17 December (or any other suitable weekend) at the Open
> Labs Hackerspace in Tirana, Albania.
> 
> Your experience would be a great help for us.

Izabela, thanks for taking this initiative

I've been to Tirana several times and it is great to see how
enthusiastic and creative the community is out there, if anybody can
travel that weekend I can highly recommend it.  I'm not currently sure
if I can get there myself.

Is there anybody who could help out remotely either during the event or
maybe to provide some guidance beforehand?

Regards,

Daniel

Re: [FLOSSK] Debian activity in Kosovo, MiniDebConf Prishtina, diversity

[Daniel Pocock]

On 28/09/17 10:31, Altin Ukshini wrote:
> I've updated the wiki with more
> details: https://wiki.debian.org/DebianEvents/ks/2017/MiniDebConfPrishtina
>
> Who else wants to talk or organize a workshop? We could maybe do a
> remote presentation as well.

The collaboration with Fedora Women Day on this event deserves a special
mention - Jona Azizaj suggested it, she was actually part of my
presentation (video[1]) at DebConf17 in Montreal by making a call from
fedrtc.org to rtc.debian.org

As there are a lot of people in the region who are encountering free
software for the first time, this joint event will give them a broader
perspective of our communities as well as the solutions we offer.

Regards,

Daniel

1.
http://meetings-archive.debian.net/pub/debian-meetings/2017/debconf17/free-communications-with-free-software-a.vp8.webm

Debian activity in Kosovo, MiniDebConf Prishtina, diversity

[Daniel Pocock]

Hi all,

I've had some recent visits to Kosovo and there are some exciting things
happening there.

Chris Lamb got there first for Software Freedom Kosova[1] 2016.

At the Digital-born Media Carnival[2], I met some students, Albiona and
Qendresa Hoti, who invited me to visit and asked me if I could provide
some support for their hackathon in Prizren.  I went there and gave a
talk at the Innovation Center Kosovo[3] in July and went back for the
hackathon[4] in August.

A MiniDebConf is now being organized for 7 October.  The Prishtina
hackerspace[6] is a possible venue but this hasn't been finally
confirmed yet.

Kosovo has also been discussed in the bug tracker recently, there is a
first Debian mirror[7] there and there is discussion about how to give
Kosovan users a better experience[8] using the Debian installer.

Like Albania[9], there are really good signs for diversity in Kosovo and
it looks like the MiniDebConf may achieve a gender ratio that hasn't
been seen before in Debian events, with the exception of those that were
exclusively organized for women.

Regards,

Daniel


1. http://sfk.flossk.org/sfk16/
2.
http://www.shareconference.net/en/defense/digital-born-adventures-kotor-and-lessons-carnival
3. https://ickosovo.com/
4.
https://wiki.debian.org/DebianEvents/ks/2017/CoderGalsHackathonForGirlsPrizren
5. https://wiki.debian.org/DebianEvents/ks/2017/MiniDebConfPrishtina
6. http://www.prishtinahackerspace.org/
7. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867255
8. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872867
9. https://www.openlabs.cc

Fwd: [Until 21 August] Your comment about legislative changes for code sharing platforms

[Daniel Pocock]

I wasn't sure if this was to be forwarded but now I have clarification,
here it is.  It is related to the thread "Debian infrastructure in the
EU / copyright challenges"


 Forwarded Message 
Subject: [Until 21 August] Your comment about legislative changes for
code sharing platforms
Date: Wed, 16 Aug 2017 06:53:03 +
From: Matthias Kirschner 
To: associa...@lists.fsfe.org

Dear associates,

We are contacting you because the EU is currently updating its copyright
law and the proposed changes can have strong negative implications for
collaborative software development. As you might be affected from those
changes, we would highly appreciate your comments, which might be
helpful for the research paper we are currently working on.

# What is this about?

The European Union works on regulation which will be very hard for
online code sharing platforms to comply with, and will increase the risk
for users to loose their code hosted on those platforms. The proposed
Article 13 of the Copyright Directive and its recital 38 are directly
relevant for the software development platforms. Several committees of
the European Parliament have already proposed amendments, and some of
them go even further than the Proposal of the Commission.

These legislative proposals can extensively hinder collaborative
software development, and especially Free and Open Source Software. New
rules proposed by the EU will create legal uncertainty for developers
using online tools when contributing to the Free and Open Source
projects through online code sharing platforms. The newly proposed
obligations on code sharing platforms will threaten their existence, and
effective online co-development by:

* Imposing on code sharing platforms the use of costly filtering
  technologies to prevent any possible copyright infringement;

* Imposing illegal monitoring obligation to track their every user.

As a result, every user, of a code sharing platform: an individual,
company, or a public body is treated as a potential copyright infringer
whose content, including the whole code repositories, can be taken down
and disabled at any time.

The vote in the parliamentary lead committee is scheduled for October.
More details on the proposed changes of the EU law are to be found at
the end of this e-mail.

# What OFE and the FSFE are doing

We are drafting a research paper, accompanied by an online engagement
tool to be launched in early September, to inform policy-makers of the
dangerous consequences of the proposed EU copyright rules for
collaborative software development.
For that we are gathering figures and comments about FOSS development
and how collaborative software development platforms are used (i.e.
GitLab, GitHub, GNU Savannah, etc., or even self run services with a
large user base). That is where you come in.

# How you can help

We hope you can give us your input on the importance of code sharing
platforms, deriving from your experience with them. Your feedback is
extremely important, in order to bring your voices to the policy makers
and highlight the barriers they might impose on Free Software
development.

For your comment the following questions might help you:
* Were you aware of the proposed changes of the Copyright Directive
  (Article 13 and its related recital 38)?
* Which web-based version control repositories, either provided by a
  third party or hosted by yourself, do you use?
* For which kind of activities do you use any of the web-based version
  control repositories?
* To what extent do you use any of the web-based version control
  repositories for your own code and software project management?
* do you have any other feedback/comments on the directive?

# Contact Details
Please give send your feedback before **21 August** to Polina Malaja
 and Matthias Kirschner  so that your
input is included in the research paper.
Looking forward to hearing from you.

Thank you in advance.

Best Regards,
Matthias

# Reference with detailed background information

* Commission's proposal

* IMCO Opinion

* ITRE Opinion (amendments 25, 49 and 52)

* JURI draft Opinion   *
,
  *
,
  *
,
  *
,
  *

Debian infrastructure in the EU / copyright challenges

[Daniel Pocock]

There has been some discussion about the potential impact of the latest
copyright legislation[1] on sites/services that share source code or
facilitate collaborative development services.

The EU vote on those rules potentially takes place in about 2 months.

One of the key concerns is that while such sharing won't be banned,
compliance with the laws would be costly.  For a volunteer and
non-profit organization like Debian, this is obviously unpleasant.

While it is the EU right now, this type of thing could appear anywhere
(e.g. the US or a country that leaves the EU but copies EU laws to
maintain market access)

DSA has been talking about a new 5-year plan to start replacing
hardware[2] from 2017 onwards, this will potentially be costly in terms
of volunteer effort and finances and it would be useful to ensure both
the location of the hardware and the strategies used for producing
Debian will be resilient against bumbling lawyers and politicians
throughout the life of that infrastructure.

Has there already been any discussion or assessment of these risks
within Debian or other communities?

How much of the new hardware may potentially be located in the countries
concerned?

This type of situation is not completely new - for many years, we had
the non-US issues[3] which only ended in sarge / 2005.

Regards,

Daniel


1.
https://www.eff.org/deeplinks/2017/03/eu-internet-advocates-launch-campaign-stop-eus-dangerous-copyright-filtering
2. https://micronews.debian.org/2017/1486409314.html
3. https://wiki.debian.org/non-US

event reports, help with mentoring and Planet?

[Daniel Pocock]

Hi all,

Anisa Kuci received assistance from Debian and FSFE for a recent visit
to events in Switzerland, she has blogged[1] about her experience. 
Anisa is now in Japan after receiving a bursary for giving a talk[2] at
State of the Map.

Kristi Progri blogged[3] about my recent visit to Open Labs[4] in Tirana
after the Digital-Born Media Carnival.  As I've commented previously,
really good things are happening in this region.  In particular, there
are some very serious and well prepared applicants for Outreachy.  If
you can mentor in the next rounds or if you can help connect these
interns with mentors in other communities please join us on
debian-outreach[5] or feel free to contact the Debian outreach admins or
myself off-list.

I added the blogs for several Open Labs members to Planet Debian but we
don't have the latest Planet Venus running there and it is not picking
them up.  Would anybody want to volunteer to join the Planet team and
help with issues like this?

The logs on planet-master.debian.org show things like this:

DEBUG:planet.runner:missing self link for http://anisakuci.com/feed/
DEBUG:planet.runner:missing html link for http://anisakuci.com/feed/

All their feeds appear to be missing the optional xml:base attribute and newer 
versions of Planet Venus appear to work successfully without it.  Elio Qoshi's 
blog is successfully appearing on Fedora and Mozilla planets and my own 
planet.freertc.org server (using planet-venus from stretch) can poll them too.

I tried using the "xml_base" parameter but it didn't appear to help.  Would 
anybody know how they can enable the xml:base attribute in their feeds as a 
workaround or is there something else that must be changed?

Regards,

Daniel


1. http://anisakuci.com/2017/08/11/events-in-zurich/
2. http://2017.stateofthemap.org/2017/how-to-build-up-an-osm-community/
3. https://kristiprogri.com/2017/08/05/debian-meet-up-tirana/
4. https://www.openlabs.cc
5. https://lists.debian.org/debian-outreach

Re: rm ~/.gnupg/secring NOW!

[Daniel Pocock]

On 03/08/17 18:19, Adam Borowski wrote:
> On Thu, Aug 03, 2017 at 09:54:28AM +0100, Daniel Pocock wrote:
>> On 02/08/17 21:30, Adam Borowski wrote:
>>> On Wed, Aug 02, 2017 at 09:53:27PM +0200, Adam Borowski wrote:
>>>> If you have ever generated or imported a gpg secret key using gpg 1 or 2.0
>>>> (ie, before Stretch), then used --delete-secret-key, please
>>>> rm ~/.gnupg/secring.gpg
>>> Obviously, this assumes you did run a gpg command after upgrading from
>>> jessie and thus triggered the upgrade to 2.1 format.  Ie,
>>> ~/.gnupg/.gpg-v21-migrated exists.
>>>
>>> And if not... well, an opportunity to test your backups was overdue :p
>>>
>> Would problems like this be avoided by using the PGP/PKI Clean Room[1]?
>> 1. https://danielpocock.com/dvd-based-clean-room-for-pgp-and-pki
> No matter how you generate your key, you still need to both store and access
> it _somewhere_.
>
> It is possible to do so on a dedicated smartcard, which is more secure, but
> most of us do not own such a card.  In a separate thread, I asked for
> advice how to transition from have-nots to haves, but even if _I_'ll get a
> card, there's many other folks who have their keys right in ~ .
>
> For the majority who use software-only key management, such issues can't be
> avoided.


If each of us tries to do the best we can then hopefully other people
will follow and security will improve.

Looking at the clean room, for example, it doesn't have a GUI yet but
anybody familiar with the GnuPG and/or OpenSSL command lines can buy a
LibreBoot X200 and start using the clean room immediately.

When a GUI becomes available people not comfortable with the command
line can start using it too.  This still might not be enough for your
family and friends but it will be enough for many, many more IT workers
to start using PGP every day.

>> I've proposed a discussion[2] about it for DebConf
>> 2. https://debconf17.debconf.org/talks/66/
> This one 403s.
>

I've contacted the DebConf talks team, the submission is still in the
pending state.

Regards,

Daniel

Re: wanted: educate us please on key dongles

[Daniel Pocock]

On 02/08/17 21:16, Adam Borowski wrote:
> Hi!
> Continuing from IRC:
> It would be nice if someone knowledgeable could educate the rest of us about
> physical key dongles -- a number of DDs/DMs/contributors still keep their
> secret keys on a regular disk, and could use a primer.  Me included.  I do
> have a backup key with plenty of sigs that's stored securely, but my regular
> key is on the same physical machine I test random software on.
>
> There are docs available on the interwebs, but:
> 21:22 < lamby> The concept of following random docs/commands on the web in
>order to get a "super secure" key makes me smie :)
>
> There's GNUK ("out of stock"), Nitrokey and others -- but how do they
> differ?  Actually, at this point it would be easier to skip the details and
> say "if you don't know any better, buy X".
>
>
> Thus: can I has "key dongles for dummies", plz?

We do have documents but they are spread over the wiki, some of them
contain duplicate information and they link back and forth between each
other.  Examples below.

How could we refine that into a step-by-step "howto" guide that takes
any user from whatever situation they are in today (whether it is bare
metal or already using some other OS or an existing Debian user) and
helps them reach a place where they are using PGP securely?


https://keyring.debian.org/creating-key.html
https://wiki.debian.org/Keysigning

https://wiki.debian.org/Smartcards
https://wiki.debian.org/Smartcards/OpenPGP
https://wiki.debian.org/Smartcards/OpenPGP/Buying
https://wiki.debian.org/Smartcards/YubiKey4
https://wiki.debian.org/GnuPG/SmartcardSubkeys

Re: vPro and secure Debian systems

[Daniel Pocock]

On 02/08/17 21:41, Zlatan Todoric wrote:
>
>
> On 08/02/2017 10:24 AM, Daniel Pocock wrote:
>> Hi all,
>>
>> There is a page[1] about AMT / vPro on the wiki, it doesn't mention any
>> of the security concerns[2] about this technology.
>>
>> Is there anything that Debian can do as an OS (e.g. default settings,
>> check during installation) to protect users from risks associated
>> with vPro?
> No, OS can't prevent hardware hack that is already in place. That
> said, it can lock things down to some degree (like iomem restriction
> in newer kernels that prevent you from flashing BIOS for example,
> though it can still be disabled via iomem=relaxed kernel option).
>
>>
>> For people who have a computer or laptop with vPro capabilities, can it
>> be made secure or are they better off getting rid of that system?
>
> vPro is not issue per se. Entire combination of vPro, ME Enterprise
> and Intel Wi-Fi makes the AMT which can be issue. That said, for most
> systems with that combination, AMT is disabled (unless specially
> requested I don't think there are laptops that have it enabled by
> default).
>

Looking at the ME_Cleaner wiki page[1] about Intel Boot Guard, it seems
to imply that if you buy a laptop with the "vPro" sticker or whatever,
you are more likely to be stuck with Intel Boot Guard too.  So while
vPro may not be the issue itself, it is to be avoided because Boot Guard
is a pain.

>>
>> A lot of new Intel-based laptops, e.g. Thinkpads, offer a choice to buy
>> with or without vPro.  Does deselecting vPro during the customization
>> process actually make any difference from a security perspective, or is
>> the same stuff still present in the system anyway?
>>
>> Regards,
>>
>> Daniel
>>
>>
>> 1. https://wiki.debian.org/AMT
>> 2.
>> https://security.stackexchange.com/questions/128619/what-are-the-privacy-and-security-risks-associated-with-intels-management-engin
>>
>>
>>
>>
> So the attitude here should be "I need combination of hardware and OS
> to make things more secure" - which comes to things such as open
> schematics based on open standards (hopefully for some awesome future
> RISC-V based motherboard), coreboot, Heads (for measured boot), learn
> and use TPM, hardware key to unlock boot process, full disk encryption
> of OS, "toryfing" apps that go to network (via torsocks for example),
> flatpaks (general containerization/sandboxing of apps) etc etc
>
and then the user browses to www.facebook.com and all your effort was wasted

Regards,

Daniel


1. https://github.com/corna/me_cleaner/wiki/Intel-Boot-Guard

Re: rm ~/.gnupg/secring NOW!

[Daniel Pocock]

On 02/08/17 21:30, Adam Borowski wrote:
> On Wed, Aug 02, 2017 at 09:53:27PM +0200, Adam Borowski wrote:
>> If you have ever generated or imported a gpg secret key using gpg 1 or 2.0
>> (ie, before Stretch), then used --delete-secret-key, please
>> rm ~/.gnupg/secring.gpg
> Obviously, this assumes you did run a gpg command after upgrading from
> jessie and thus triggered the upgrade to 2.1 format.  Ie,
> ~/.gnupg/.gpg-v21-migrated exists.
>
> And if not... well, an opportunity to test your backups was overdue :p
>

Would problems like this be avoided by using the PGP/PKI Clean Room[1]?

I've proposed a discussion[2] about it for DebConf

Regards,

Daniel

1. https://danielpocock.com/dvd-based-clean-room-for-pgp-and-pki
2. https://debconf17.debconf.org/talks/66/

vPro and secure Debian systems

[Daniel Pocock]

Hi all,

There is a page[1] about AMT / vPro on the wiki, it doesn't mention any
of the security concerns[2] about this technology.

Is there anything that Debian can do as an OS (e.g. default settings,
check during installation) to protect users from risks associated with vPro?

For people who have a computer or laptop with vPro capabilities, can it
be made secure or are they better off getting rid of that system?

A lot of new Intel-based laptops, e.g. Thinkpads, offer a choice to buy
with or without vPro.  Does deselecting vPro during the customization
process actually make any difference from a security perspective, or is
the same stuff still present in the system anyway?

Regards,

Daniel


1. https://wiki.debian.org/AMT
2.
https://security.stackexchange.com/questions/128619/what-are-the-privacy-and-security-risks-associated-with-intels-management-engin

Re: guidance on (Women's) MiniDebConf fees

[Daniel Pocock]

On 23/07/17 17:46, Paulo Henrique de Lima Santana wrote:
> Hi Daniel,
>
> - Mensagem original -
>> De: "Daniel Pocock" 
>>
>> Would you consider adding any more guidance on the wiki[1] about
>> expenses that are likely to be approved or excluded for people who
>> organize a (Women's) Mini DebConf,
>
> Just to know, are you planning a Women's Mini DebConf?

Somebody has asked about organizing one, it would be up to them to
announce it when they are ready.

If people wanted to identify themselves as potential volunteers or
speakers they could introduce themselves on debian-women

Regards,

Daniel

guidance on (Women's) MiniDebConf fees

[Daniel Pocock]

Hi Chris,

Would you consider adding any more guidance on the wiki[1] about
expenses that are likely to be approved or excluded for people who
organize a (Women's) Mini DebConf, or do you prefer to avoid listing
them and simply review them on a case-by-case basis?

For example, would Debian only pay for speaker's travel (already
explicitly mentioned in the wikis) or can organizers also request funds
for venue hire, catering and publicity?  Is it possible to go further
and provide any hints about what figures are reasonable?  Or would they
be expected to find their own sponsors for such things as some events do?

My personal impression is that in some regions speaker's accommodation
costs may be quite low compared to other cities, Debian actually saves
some money and that could offset venue costs.  However, in such regions
the potential funding from local sponsors may be harder to obtain, so
some venue & catering funds may be needed.

Regards,

Daniel

1. https://wiki.debian.org/Teams/DPL/SponsoringGuidelines#Meeting_Guidelines

developers feeling paranoid and old-fashioned?

[Daniel Pocock]

Hi all,

Most of us have probably seen words like "security paranoid" and "old
fashioned" used in relation to valid practices that free software
developers use for safety and efficiency.  After all, most people
wouldn't call their doctor "hygiene paranoid" but they would complain to
no end if they found a large dead rat in his office.

For a little project I'm working on, I'd be interested to collect any
other terms you've seen used in a similar way, feel free to reply privately.

Regards,

Daniel

collaboration with the Open Labs community, Tirana

[Daniel Pocock]

Hi all,

As recently discussed, Chris Lamb and I had a really positive
impression[1] of the work Open Labs[2] is doing in Tirana.

They are now involved in organizing[3] another event at the end of the
summer, FOSScamp in Syros, Greece.  I forwarded the full email on
debian-events-eu[4]

Looking beyond the promise of sun and beach, FOSScamp is also just a few
weeks ahead of the Outreachy selection deadline so anybody who wants to
meet potential candidates in person may find this event helpful.

They have existing relationships with several other free software
communities but they have expressed a sincere and well motivated
interest in getting to know Debian as well.

If anybody wants to discuss the possibilities for Debian involvement in
the event then the best place to do that may be on the Open Labs forum
topic[3]

Regards,

Daniel



1. https://lists.debian.org/debian-project/2017/05/msg00124.html
2. https://www.openlabs.cc
3. https://forum.openlabs.cc/t/fosscamp-2017-syros-greece/459
4. https://lists.debian.org/debian-events-eu/

report from OSCAL'17

[Daniel Pocock]

Chris Lamb and I recently attended OSCAL'17[1], I'm writing this report
based on my own experience of the event.  OSCAL'17 is organized by Open
Labs[2], a free software community based in Tirana, Albania.

OSCAL'17 was presented to me when I met some of the Albanian team at
FSFE summit and also at FOSDEM.  They are active in many other
organizations too, including FSFE, Mozilla, OpenStreetmap and Fedora.
They expressed an interest in Debian too, but they were not aware of any
Debian Developers based there.  They also run a Linux weekend (which was
promoted on debian-events-eu[3]), various hackathons and other events
throughout the year.  There is also discussion[4] about a cryptoparty in
the near future.

On arriving, two members of the organizing team, Kristi and Jona, met me
at the airport.  They had also arranged a nice welcome gift in my hotel
room[5].  The team went out of their way to welcome all the
international guests.

Friday, 12 May, the day before the conference, several of us met at the
Hackerspace in the afternoon.  It is a new facility and they are keen to
expand it.  Donations of hardware would be particularly welcome and
would be well used.

Friday night many of the visitors met at a bar near the center for drinks.

On 13 May I presented a workshop about the Debian Hams[6] project, ham
radio and SDR in general.  I presented similar workshops at MiniDebConf
Vienna and Cambridge last year.

The venue had great weather and open windows from the workshop room on
the first floor so I was able to mount the loop antenna externally at
this event.  I started setting it up a couple of hours before the
workshop with help from a few members of the Open Labs team.  The
outdoor antenna, combined with the fact I had brought a portable ATU as
well, allowed us to receive a range of commercial shortwave
transmissions and ham broadcasts from much further away.  A full
overview of the hardware setup is on my blog[7], along with a brief
video of the demo.  Using the loop antenna indoors (as demonstrated at
previous events) it is only likely to pick up stronger commercial
shortwave stations and ham stations in the immediate vicinity of the
venue (such as a transmitter in somebody's car parked outside).

I went to a couple of sessions after the workshop, including one by the
director of town planning who explained the arrangement[8] the city of
Tirana has made with Open Labs.

In the evening, speakers were invited to a feast at the restaurant
Pajtimi, there was a wide range of meats and other dishes, it was quite
a feast and we were well looked after.

On 14 May I had a couple of sessions late in the afternoon, so I decided
it would be a good idea to set up the ham radio/SDR demo at the Debian
booth in the morning.  The tables were set up at the edge of a courtyard
and the architect had conveniently included a stairwell onto the roof so
people could climb up and install their own HF antennas.  As in the
workshop the previous day, it was relatively easy to get the loop
antenna installed a few meters above the ground and we immediately
started to receive a range of signals from thousands of kilometers away.
 Several volunteers from the OSCAL team helped get it installed quickly.

The demo was quite popular and a large number of visitors stopped to see
it at the Debian booth.

Shortly after lunch, I downloaded the Debian Hams ISO image[9], placed
it on a USB stick and used it to boot somebody else's laptop into the
SDR software (gqrx) so I could take my own laptop away for other things.
 Being able to do this so easily with a Debian live ISO really
emphasizes the strength of Debian as a complete system.

I'd like to emphasize the popularity of the demo and the fact it shows
off many features of Debian combined with some interesting hardware.
Other developers who want to give this demo at events do not need to
have a ham license to do so, you only need a ham license for
transmitting.  If you don't enjoy giving talks or workshops, simply
running the demo at a Debian booth is also a great idea.  If you want to
recreate this demo elsewhere, please see the recipe on my blog[7] and
feel free to ask for help on the debian-hams list[10].

Later that day I had two more sessions, a talk about Free RTC and a
discussion about the Open Agriculture project[11] and building a food
computer.

One particular strength of the Open Labs community that was noticed by
many guests at this event was the successful commitment to diversity, in
particular, computing doesn't appear to be as male dominated as in some
other events.  I met several people who would appear to be good
candidates for future rounds of Outreachy and I posted about this on the
Open Labs forum[12].  Open Labs has several successful women in
leadership positions and they have also recently run a hackathon for
women so there could be good opportunities for mentoring collaboration
or for a future women's MiniDebConf[13] event.

Regards,

Daniel


1. https://oscal.openlabs

Re: producing, distributing, storing Debian t-shirts

[Daniel Pocock]

On 02/05/17 06:35, Gunnar Wolf wrote:
> Daniel Pocock dijo [Mon, May 01, 2017 at 09:00:34AM +0200]:
>> Can you give an example of shipping costs from Mexico to the US and
>> Mexico to Brussels (for FOSDEM)?
> 
> Bufff... It's a matter of checking the weight and asking DHL, Fedex,
> and all of their kin :-| 
> 

Could you give an example of weight for 10 shirts?  That may be helpful
for anybody who wants to calculate.

>> I assume that if they were sent to a European country there would be
>> VAT charges on arrival, between 8% and 23% depending on the country.
> 
> IIRC, it's covered within the various free trade agreements our
> country has. Maybe somebody remembers better than me in European
> DebConfs (I've always ran away from handling monetary issues).
> 

A free trade agreement generally eliminates the customs duties but not
the consumption tax although with some care the tax can be managed.

The consumption taxes (EU VAT, Australia, Canada GST, Switzerland MwSt)
always have to be paid if the product would be taxed in a retail store.
A few exempt items (books, gold bullion, some medicine) are not taxed at
the retail level, so they are not taxed at the border.

There are situations where it may not apply but care is needed to plan
for that in advance:
- if a tax registered entity does the import (e.g. if DebConf17 has a
GST registration or collaboration with a local business) then they may
be able to reclaim that tax, it looks like 5% in Canada, they would need
to check in advance and ensure the paperwork is right
- when bringing things to the EU, some countries charge a lower VAT
rate, e.g. 15% in Luxembourg is less than 21% in Belgium and once they
are in the EU, they can be moved to other EU countries without paying
VAT again.
- if they come into Switzerland it is only 8% but anybody taking them
over the border into the EU in bulk would have to declare them and might
be asked to pay the higher tax.  Personal items (clothing, etc) carried
out of Switzerland in your luggage is exempt but anything over 20 EUR
posted out of Switzerland is taxed.

So the bottom line is that people have to make extra effort to plan in
advance or just pay it.

>> I did a quick search for information on the polo shirts, I have one
>> with a logo in red and the other one has the logo in red and "debian"
>> in white.  Both are embroidered onto the shirt and they last a long
>> time.  Here is an example[1] from China:
>>
>> 500 polo shirts x $1.90 = $950
>> 1500 polo shirts x $0.60 = $900
>>
>> So it is cheaper to make 1500 than 500.  I wonder if they would allow
>> different coloured shirts (e.g. 500 black, 500 white, 500 blue) in a
>> single batch.
> 
> Those producers are best suited for high-volume production, I'm giving
> you the numbers for a small, family-owned, family-worked workshop
> where a DebConf run (~500 shirts among all variations) is usually the
> largest work in the year. There is little economic difference per item
> between printing 50 and 500.
> 

As noted in another reply, I see them as a completely different type of
product (polo shirt with only the logo, embroidered, one colour vs
t-shirt with multiple colours and designs) so it is not a price
competition, people could have both t-shirts and polo shirts.  The
screen printing solution you have described also sounds great and it is
good that there is transparency about the supply chain.

Regards,

Daniel

Re: producing, distributing, storing Debian t-shirts

[Daniel Pocock]

On 01/05/17 21:33, Adam Borowski wrote:
> On Mon, May 01, 2017 at 07:45:06PM +0200, martin f krafft wrote:
>> For many of us, it goes without saying that we'd not take a margin
>> off merchandise we create/sell for our project, mainly because of
>> our idealism.
>>
>> However, at the end of the day, all things considered, if Didier or
>> Person X would mark those items up, say, 5% to cover the incidentals
>> (not the time spent), then I wouldn't have a problem with that.
>> It'll certainly help if they were entirely transparent about it,
>> though.
> 
> I for one would be glad even if he _did_ take a fair fee for his time spent. 
> 
> And it would make a difference:
> 
> # It's been fun in 2011, but I would not do it again, no.  I have better
> # uses of my Debian time.  :)
> 
> If you get compensated beyond the costs, you don't get that warm fuzzy
> feeling of doing gratis work, but still do provide a welcome service to
> members of the project.  If that can tip the threshold between the service
> being provided or not, then why not?
> 


There are various reasons why not:

- opportunity cost: time spent on this is time not spent on other things
where people have more to give

- financial reward isn't always a smart motivation (see Lepper and
Greene, 1973)

- Debian's constitution states we are volunteers, so if people do stuff
like this with Debian money maybe they can't personally be paid for it.

but I personally have no objection to somebody profiting from this if
they are transparent about it and provide a good service to the community.


>> Note also that there's nothing that prevents Person Y from producing
>> Debian merchandise and offering it with a more substantial markup.
>> If people buy it (i.e. the price is right), then everyone benefits…
> 
> Note the data mentioned in this thread:
> * decent printed shirts cost $0.60 in a large batch (including the
>   manufacturer's profit)
> * "very good quality" printed shirts made in a small batch retail for $3 if
>   you skip most of the "rich country" artificial markup (ie, the price you
>   pay in shop is "what the market will bear" rather than just what would
>   keep the seller in business)
> 
> Thus, there's a massive gap between doing it for costs and a full commercial
> operation.  It's not hard to find a sweet spot in between that would flood
> relevant places with people in Debian-themed clothing while not cutting into
> volunteers' unpaid time.
>

Those are very different cases though: the embroidered shirts would
probably be more simple (just the logo) and designed for a long shelf
life.  The screen printed shirts may have more topical designs (e.g. for
DebConf17 or Stretch) and in these cases the smaller quantity is fine.

Regards,

Daniel

Re: producing, distributing, storing Debian t-shirts

[Daniel Pocock]

On 01/05/17 18:14, Didier 'OdyX' Raboud wrote:
> Le dimanche, 30 avril 2017, 17.42:53 h CEST Andrew M.A. Cater a écrit :
>> Debian.ch did one very cool piece of merchandise - customised Victorinox
>> knives with Debian logo. Fantastic, useful - and potentially illegal to
>> carry but a lovely thing. I think it took a huge time to organise the
>> logistics although the cost wasn't huge since the manufacturers do this
>> regularly and the retooling isn't massive the overhead was high.
> 
> The cost structure for that one-time project made it possible to sell the 
> Debian-branded knives for the same non-branded retail price. That's really 
> cool, but also meant an inexistant margin.
> 
> But add to that the effort it took to collect pre-orders, then orders, and 
> then manage the stock and the international shipping for small and expensive 
> little gems that were acquired initially in an expensive currency (CHF); 
> wedidn't make a penny worth of margin, for _a lot_ of administrativia and 
> effort.
> 

Thanks for the update on that

Would you consider it worthwhile doing an exercise like that again if
people were ordering them in batch to be delivered at DebConf?  That
would eliminate individual trips to the post office, packaging and other
administrivia?

Regards,

Daniel

Re: producing, distributing, storing Debian t-shirts

[Daniel Pocock]

On 01/05/17 05:36, Gunnar Wolf wrote:
> Daniel Pocock dijo [Sun, Apr 30, 2017 at 01:53:49PM +0200]:
>> 
>> Hi all,
>> 
>> On several occasions people have asked me about Debian t-shirts
>> and the polo shirts when I'm going to an event or after seeing a
>> video where I am wearing the polo shirt.
>> 
>> At some events there are opportunities to mass-produce things in 
>> collaboration with the event team, lowering costs and avoiding
>> the cost of shipping into the event.  For example, the FOSSASIA
>> team produced a lot of roll-up banners and three Debian banners
>> were included in the batch.  Similar deals can lower the cost of
>> t-shirt production, especially when the event takes place in a
>> location where costs are lower.
>> 
>> A few people have expressed concern about the production of
>> t-shirts though: (...)
> 
> Just my experience here:
> 
> Many years ago, my then-couple and me ran a textile printing 
> small-scale workshop. She still runs it, and she will print
> DebConf's shirts this year (as she has repeatedly done - DebConf 6,
> 7, 9, 10, 13, 14, 15 and 17 shirts all went through her hands :) ).
> Of course, back in the day, we printed many shirts related to Free
> Software projects. We even made some minor trademark violations
> which I openly acknowledge as such (i.e. we printed IIRC 50 shirts
> with the Firefox and the Mozilla logos for the Firefox 1.0 release
> party... Only to find out later they did have a trademark policy...
> Oh, we were young and innocent :-] )
> 
> Anyway, beyond the memory trip... T-shirts are *awesome* for 
> promotion. Good material T-shirts much more so - I still have in
> very good condition most of my home-printed shirts... With our
> production starting in 2004. I did take a bag of shirts to several
> conferences (several local ones, and at least I took a case with
> probably 50 to DebConf5 in Helsinki).
> 
> Thing is, sadly, I hate manning the sales booth. Selling shirts is
> a quick way to make money. If you print in "cheapish" countries
> such as mine (Mexico), a very good quality shirt+print would cost
> around US$3 if my numbers are right. I am *stumped* to find ~US$30
> shirts for sale in the USA; I have bought a couple of debian.ch
> shirts (which are great!), but it's hard for me to understand where
> the price comes from. Of course, then I remember what is said about
> .ch...
> 
> Anyway, if any of you is interested: We have found for DebConf that
> if most often makes a lot of economic sense to print shirts in
> Mexico and ship them via the usual courier services; if any of you
> is interested, even in relatively short runs of products, I'm sure
> Gaby will be happy to provide good work and material (and, of
> course, I can provide the contact if needed). You mention
> "economies of scale" - It does not really matter. I am not up to
> date with prices, but they should have not moved much... The cost
> for making one silk-screen original (for a workshop that does _not_
> have their own development lab) is about US$5 per color. Shirt
> prices go down at around the 10, 25 and 50-items, but beyond there,
> you won't gain much.
> 
> It usually makes no sense, so, to make big print runs and lug /
> move around stock. It's best to just print as you go, and that way
> even just take "current" designs to each event (plus some bits of
> stock you have left over)... If I were to offer you, for very
> cheap, our shirts for Sarge or Etch, I don't think you'd be very
> interested! That would become lost money.
> 

Can you give an example of shipping costs from Mexico to the US and
Mexico to Brussels (for FOSDEM)?

I assume that if they were sent to a European country there would be
VAT charges on arrival, between 8% and 23% depending on the country.

I did a quick search for information on the polo shirts, I have one
with a logo in red and the other one has the logo in red and "debian"
in white.  Both are embroidered onto the shirt and they last a long
time.  Here is an example[1] from China:

500 polo shirts x $1.90 = $950
1500 polo shirts x $0.60 = $900

So it is cheaper to make 1500 than 500.  I wonder if they would allow
different coloured shirts (e.g. 500 black, 500 white, 500 blue) in a
single batch.

Regards,

Daniel

1.
https://www.alibaba.com/product-detail/100-cotton-High-Quality-Customized-Logo_60450761521.html

Re: producing, distributing, storing Debian t-shirts

[Daniel Pocock]

On 30/04/17 21:54, Sebastiaan Couwenberg wrote:
> On 04/30/2017 09:37 PM, Daniel Pocock wrote:
>> On 30/04/17 14:18, Sebastiaan Couwenberg wrote:
>>> On 04/30/2017 01:53 PM, Daniel Pocock wrote:
>>>> - how do people view the distribution of merchandise, is the primary
>>>> goal fundraising or is it about brand exposure?
>>>
>>> There are more reasons than these two.
>>>
>>> For the t-shirts that I had made and sold at the T-DOSE & FOSDEM
>>> conferences the primary motivation was user demand. Especially at T-DOSE
>>> I got several questions if we had T-shirts and had to tell them no, this
>>> resulted in having shirts made the next year.
>>>
>>> There is also a lot of demand for laptop stickers, which I haven't had
>>> made yet, but am considering.
>>
>> Let me put it another way: when you are trying to meet that demand from
>> people, do you make that effort because you want to raise money or
>> because of brand, community, etc?
> 
> I do it as a service to our community.
> 
> Debian doesn't need to sell merchandise to raise money, the project gets
> more in donations than it spends.
> 

That's exactly what I was getting at with that question, I suspect most
people will agree any merchandising is not for fundraising.

Taking that point further, if the goal is community, do people feel that
merchandizing should break even or that it can actually be subsidized?
I've heard different opinions on that from different people already.

Regards,

Daniel

Re: producing, distributing, storing Debian t-shirts

[Daniel Pocock]

On 30/04/17 14:18, Sebastiaan Couwenberg wrote:
> On 04/30/2017 01:53 PM, Daniel Pocock wrote:
>> - how do people view the distribution of merchandise, is the primary
>> goal fundraising or is it about brand exposure?
> 
> There are more reasons than these two.
> 
> For the t-shirts that I had made and sold at the T-DOSE & FOSDEM
> conferences the primary motivation was user demand. Especially at T-DOSE
> I got several questions if we had T-shirts and had to tell them no, this
> resulted in having shirts made the next year.
> 
> There is also a lot of demand for laptop stickers, which I haven't had
> made yet, but am considering.
> 

Let me put it another way: when you are trying to meet that demand from
people, do you make that effort because you want to raise money or
because of brand, community, etc?


>> - would it be reasonable for 1% - 2% of Debian's reserves to be tied up
>> in slow moving inventory items like t-shirts that take up to a year to
>> fully turnover?  As the reserves are mostly kept in cash Debian probably
>> loses at least that much to inflation each year anyway.
> 
> This is tricky, since Debian is non-profit and selling merch can be
> considered a for-profit activity.

"Non-profit" means that Debian does not distribute surplus profits back
to people such as shareholders.  It does not mean that Debian can not
make a profit on the sale of a t-shirt, as long as that profit is
re-invested in the organization.

> Having Debian funds available for merchandise will lower the barrier for
> Debian people to to have it made since they don't have to invest their
> own money.
> 
> Kind Regards,
> 
> Bas
> 

producing, distributing, storing Debian t-shirts

[Daniel Pocock]

Hi all,

On several occasions people have asked me about Debian t-shirts and the
polo shirts when I'm going to an event or after seeing a video where I
am wearing the polo shirt.

At some events there are opportunities to mass-produce things in
collaboration with the event team, lowering costs and avoiding the cost
of shipping into the event.  For example, the FOSSASIA team produced a
lot of roll-up banners and three Debian banners were included in the
batch.  Similar deals can lower the cost of t-shirt production,
especially when the event takes place in a location where costs are lower.

A few people have expressed concern about the production of t-shirts though:

- production cost and difficulty of transporting in luggage, both
relatively high compared to the cost of stickers and some other merchandise

- lack of volunteers willing to handle and dispatch inventory (this was
raised by debian.ch after trying to retail some online)

Personally, I feel that clothing makes a particularly strong impression
as people only wear one t-shirt at a time and if they choose to wear a
Debian t-shirt, that is a strong endorsement of the Debian project. 
Conversely, if there is an absence of Debian t-shirts in the community
(or if Debian was to produce too many shirts that all look the same)
people wear other things.

I also feel that the relative effort for a developer to organize a batch
of 100 is not much more than the effort of producing 10 or 20.

This brings me to a few questions:

- how do people view the distribution of merchandise, is the primary
goal fundraising or is it about brand exposure?

- would it be reasonable for 1% - 2% of Debian's reserves to be tied up
in slow moving inventory items like t-shirts that take up to a year to
fully turnover?  As the reserves are mostly kept in cash Debian probably
loses at least that much to inflation each year anyway.

- what is the best strategy for production and distribution?  Would it
be cheaper and less effort for volunteers if 10,000 shirts were simply
produced in China and divided up between every developer willing to
distribute them within their local community at their own pace and
without formal inventory controls?  Or is it better to produce small
batches when the opportunity arises?

- what should be produced?  In low quantities we get very standard
t-shirts.  In higher quantities we may have more choices of fabrics,
more distinctive styles and printing techniques that last longer.  We
could even produce some rolls of Debian fabric for people to have
tailor-made shirts, table cloth, curtains, etc.

- what aspects of production are people willing to volunteer for?  For
example, some people have volunteered to create t-shirt designs and
other people have volunteered for Debian booths at events.  What other
tasks do people need to volunteer for, e.g. keeping inventory, and are
there volunteers?

- has anybody looked at any strategies to completely outsource
merchandising or to do such things jointly with other groups to get
economies of scale?  For example, at some events the Debian t-shirts can
be retailed on a table run by the local community without developers
needing to be at a booth, all we may need to do is bring the stock and
take it away again later.

Regards,

Daniel

Re: Final bits from the (outgoing) DPL -- March-April 2017

[Daniel Pocock]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 16/04/17 11:45, Mehdi Dogguy wrote:
> Dear developers,
> 
> First, I'd like to congratulate Chris on his election. I am sure
> Chris will be a great DPL and will have full support from our
> community!
> 
> Serving as DPL for the past year has been a real honour and a 
> fantastic experience for me. It also helped me to have a different 
> perspective on the project and my future involvement.
> 

Mehdi, thanks for volunteering and doing a great job as DPL

Congratulations Chris

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJY80dUAAoJEGxlgOd711bEw+8P/1qRM4VPOUl5IlJac1/krTAo
RERVILjTDZNw+Dj1l9en+DDUBG9EchLY9XKG30EX2L8Jay1+Dqm4M4hPJhfL6CQc
M1Nfwoy92ICAbkl/KWT+2GzF8Un/Hw0kBkNjNb+2TmDONCrlmWqsbzDlUpSF+8yD
rmE3afLQA24Q1WK0XPUiSwfuPB/YJRDbQlN24J+sz1UkCOfiV47rNu7jhzGa/St4
ceGONZXih+N0+v7YJEpCpUuTndRyDhUfrzwVSyStn/pK248ly7xIA5uMwW7ev2zZ
j8ivV9Gax/9q6nPcVXkHZvL16CgD47+QA9mtUJBKBiznxCQm/P7Susty4RPMxbGd
Mi6hzBoXHLJW/oXDfyR58bHw/e1zjMJJ++A4S3Hz9Y/G2tM7lPw7we1y1oTP+uq3
KCOQBYib1PyDnxuAzieNt9qbD3GTQnhY3EsLmc1+IMb8hr+cA8jNoHo8UB8o31E3
jfaBBJmRhtbnMakNC+NGoeTLmOrnchXpOwfDkLA+O2HP2/JlgJAO9JaWQ/Us38xm
jXa3V1NctItjbctpFgZ4pnXYP2/akrEGoCwZrCRa1EGY0CPx0cyGV1da436X2ueY
ZfZhhdQ3GjWVDG3n/MsPpG9sdR15ji6+sIxVE0MpwIcNCHMKJzsNVVGqiMzlo2ru
vsFeb5aP9foz2o1ecaao
=GXaV
-END PGP SIGNATURE-

using Debian funds to sponsor other events?

[Daniel Pocock]

Hi all,

Have there been previous discussions about using Debian funds to sponsor
arbitrary free software events?

I don't think Debian has the financial means to sponsor any arbitrary
event or to give funds to events just for publicity or goodwill.
However, maybe there are cases where other events might spend the money
in a way Debian would have used the money and then the publicity and
goodwill Debian gets from being listed as a sponsor is a bonus.

Here are some of the thoughts that came to my mind:

- given the growing inconvenience of travel, and the high cost (both
financial and time) for developers to travel to global events, there are
cases where it is more productive for developers to attend local events

- local events are not always "Debian" events though, they may involve a
combination of different communities

- some events may spend the money on things the DPL would have approved
anyway (e.g. paying travel expenses for Debian people who volunteer,
give talks, operate a booth)

- if the event team is able to take a chunk of Debian money and
administer the expenses this may be more efficient than Debian's own
trust organizations working through the individual expenses

- sometimes the event teams add extra value too, e.g. at FOSSASIA they
were able to have Debian stand-up banners produced as part of a bigger
order.  Other examples may include events who can provide equipment for
a Debian booth.

- maybe Debian could even publish some criteria and invite organizers of
events to apply for grants?  E.g. Debian offers $US 1,000 to any event
that does A, B and C, with a maximum of X sponsorships per year.

Regards,

Daniel

Debian presence at OSCAL'17 (weekend 13-14 May, Tirana, Albania)

[Daniel Pocock]

Hi all,

OSCAL17[1] in Tirana is just over a month away.  I've had some private
discussions with the organizers and it was also discussed on this list a
few weeks ago in the thread[2] about Linux Weekend'17 Tirana.

I'm keen to go along myself and do some Debian-related things there,
including a booth and a talk.  Did anybody else involved in Debian
already submit any proposal through the call for papers?

Is anybody based in the area or otherwise thinking about attending?

Has anybody already submitted any request to the DPL for funding or
would anybody be interested in collaborating on a funding request?

As in previous events, participants could potentially qualify[3] for
funding by representing Debian in some way, grouping some talks into a
Mini-DebConf track or by having a sprint or BSP there.  The DPL would
have the last word on this but I would be interested to hear any
thoughts people have before sending him a formal request.

Regards,

Daniel


1. http://oscal.openlabs.cc/
2. https://lists.debian.org/debian-events-eu/2017/02/msg00010.html
3. https://wiki.debian.org/Teams/DPL/AskingForMoney

FSFE Summit report

[Daniel Pocock]

I've recently attended the FSFE Summit[1], combined with QtCon[2],
KDE and VideoLAN project gatherings, in Berlin.

This is the first time FSFE has run a summit and it was organized
to co-incide with the 15th anniversary of the organization.

The different communities combined their schedules in a single program
which is available on the QtCon website[3].

Only a small number of organizations had booths at the event,
mainly sponsors seeking to recruit people.  I inquired a few weeks ago
if it would be possible for community organizations like Debian to have
tables and they weren't able to accommodate that in this first instance
of the summit.

As some people may already know, FSFE is not fundamentally a
development-focused organization, they focus[4] on advocacy, policy and
social issues relating to free software.  The people at the event and
the range of talks reflected this focus.

In fact, there was an extraordinarily diverse range of talks and by far
the biggest problem people encountered at the FSFE summit was choosing
which talks to attend because many interesting talks were always
happening at the same time.  Looking at the diversity of the talks, they
included hands-on advice about free software for businesses, feedback
about experiences people have had promoting free software in the
non-profit sector, discussions about FSFE infrastructure issues, updates
on policy challenges coming from the European legislators, lightning
talks and a wide range of technical talks from the other communities
present at the event.

One talk I'd like to mention in particular: Marta Rybczyńska gave a
talk about how to give a talk presenting your favorite project[5], I
would encourage anybody who hasn't given a talk before to watch her
video and consider having a go at a Mini DebConf[6] (Cambridge is very
soon now) or another event.

On the first night of the event people from all the different
communities dined together in the venue and then had a social evening
with fussball, darts and slot cars.  On the second night the FSFE
community went to the c-base[7] hackerspace, for a party celebrating
FSFE's 15th birthday.  15 years have disappeared quickly, but nothing
disappeared faster than the pizzas.

Personally, I gave a lightning talk about the Postbooks Qt-based
accounting/ERP software[8] and a talk about strategies for increasing
the success of Free Communications[9] with Free Software.

It is not yet confirmed when the event will be run again or what form it
might take, I personally feel it is a particularly valuable opportunity,
especially for European members of the Debian community and I would hope
to go again.

Regards,

Daniel


1. https://fsfe.org/community/events/2016/summit/frontpage.en.html
2. https://qtcon.org/
3. https://conf.qtcon.org/en/qtcon/public/schedule
4. https://fsfe.org/work.en.html
5.
http://www-ftp.lip6.fr/pub/X11/kde-applicationdata/akademy/2016/338_why_and_how_to_present_your_project.mp4
6. https://wiki.debian.org/MiniDebConf
7. https://www.c-base.org
8.
http://ftp5.gwdg.de/pub/linux/kde/extrafiles/akademy/2016/585_lightning_talk.mp4
9. https://conf.qtcon.org/en/qtcon/public/events/448

Re: public stats about posts in -private

[Daniel Pocock]

On 20/07/16 03:46, Gunnar Wolf wrote:
> Daniel Pocock dijo [Mon, Jul 18, 2016 at 09:36:52PM +0200]:
>>> On 2016-07-18 18:21, Daniel Pocock wrote:
>>>> There are some things on -private that could be summarized with
>>>> statistics publicly, e.g. the reasons people give when they retire from
>>>> the project (X% cited reason A, Y% cited reason B, ...)
>>>>
>>>> Is there any consensus on whether deriving anonymous statistics from
>>>> debian-private is acceptable?
>>>
>>> Acceptable, perhaps, but almost certainly not worth anybody's actual time.
>>
>> Comments people make about reasons for retiring could provide meaningful
>> background data when considering the impact of future decisions.
> 
> As one of the people who track retirement messages (as keyring-maint
> often does the first steps of the retirement process, and pass the
> ticket on to other groups later on), I agree with Jonathan. By far,
> the most often cited reason is "I have no time nor motivation to do
> this properly anymore" or some variation on it. Real (that is,
> analyzable) reasons are almost never even mentioned.
> 


I would agree that is one of the things that could be summarized.
Sometimes people also mention family reasons or changes in employment.

Maybe such insights aren't very dramatic but even that much hasn't been
stated publicly before because those emails are sent on debian-private.

It could also be interesting to ask people who retire to complete a
small survey with the stats becoming public.

Re: public stats about posts in -private

[Daniel Pocock]

On 18/07/16 21:22, Jonathan Wiltshire wrote:
> On 2016-07-18 18:21, Daniel Pocock wrote:
>> There are some things on -private that could be summarized with
>> statistics publicly, e.g. the reasons people give when they retire from
>> the project (X% cited reason A, Y% cited reason B, ...)
>>
>> Is there any consensus on whether deriving anonymous statistics from
>> debian-private is acceptable?
> 
> Acceptable, perhaps, but almost certainly not worth anybody's actual time.
> 
> 

Comments people make about reasons for retiring could provide meaningful
background data when considering the impact of future decisions.

public stats about posts in -private

[Daniel Pocock]

There are some things on -private that could be summarized with
statistics publicly, e.g. the reasons people give when they retire from
the project (X% cited reason A, Y% cited reason B, ...)

Is there any consensus on whether deriving anonymous statistics from
debian-private is acceptable?

Regards,

Daniel

Re: Debian slogan / tag line / emphasizing freedom

[Daniel Pocock]

On 07/06/16 20:01, Russ Allbery wrote:
> Daniel Pocock  writes:
> 
>> Debian has been using the slogan / tag line "The Universal Operating
>> System" for as long as I can remember.
> 
>> It is a good choice and it represents the aims of many contributors, but
>> is it the optimal choice today?
> 
>> For example, has there ever been discussion about replacing it with a
>> slogan that puts an emphasis on freedom, another value that is important
>> to many contributors?
> 
> That's always spoken to freedom to me, since something that isn't free
> can't be universal.  By definition, access to it is restricted in some way
> to some blessed set of people, either by money or by some other legal
> arrangement, which is the opposite of universal.
> 

Free may imply universality, but the opposite isn't true.  The NSA aims
to achieve universal coverage, but does that give people more freedom or
less?

I'd suggest that universal is a slightly neutral term with respect to
freedom.

Re: Debian slogan / tag line / emphasizing freedom

[Daniel Pocock]

On 07/06/16 13:53, Holger Levsen wrote:
> On Tue, Jun 07, 2016 at 07:50:25AM -0400, Paul Tagliamonte wrote:
>> On Tue, Jun 07, 2016 at 12:22:51PM +0200, Adam Borowski wrote:
>>> Make Debian Great Again.
>> Because a few people seem confused, this is the slogan of the U.S.
>> reality TV star turned politician Donald Trump.
> Trump even stole this slogan from Ronny Reagan…
>
>

Careful, you should prefix statements like that with "allegedly" or
he'll either turn his lawyers on you or tell the world you are a Mexican

By the way, has there been any spike in applications for Mexican
passports since Trump started disparaging them?

Re: Debian slogan / tag line / emphasizing freedom

[Daniel Pocock]

On 07/06/16 13:53, Paul Tagliamonte wrote:
> On Tue, Jun 07, 2016 at 01:27:34PM +0200, Daniel Pocock wrote:
>> Some organizations use latin for a motto: how about veni, vidi, contributi?
> (I think this is a bit tacky)
Agreed, it was deliberately comical.  The original form, veni, vidi,
vici may vaguely be connected with the well known figure who lurks
behind Adam's suggestion.  I'm not sure any of my concepts are as great
as the current slogan, they were simply provided to give examples of
other directions it could go.

>
> Most organizations just plain don't have one. If they do, it's humorous.

Like "For the Game".  Now there is a side-game improvising on the slogan
to reflect the current state of said organization[1].

>
> I don't have a problem with "The Universal Operating System", and I feel
> like this thread is just one huge bike shed if not waiting to happen,
> then plans are being drawn up.
>
> I see two options:
>
>  1. No one can work up the energy to care (status quo)
>  2. We get rid of the tagline
>
> I vote 1 > fd > 2

I agree it could be seen that way but I think it is a long way from any
vote.

Many organizations also spend far more time and money on consultants
helping them with such bike shedding/refreshing their slogan every few
years than they invest on their culture and character.

The current slogan is great and I would be disappointed if any comments
appeared disparaging it as that is not the intention of this thread. 
Apart from the reference to freedom, another thing that comes to mind is
that it doesn't exactly refer to the great community.

If somebody does have a great idea though they are very welcome to share it.

A couple of other ideas also come to mind:

- having different slogans for the product and for the organization

- having a tag line for each release, highlighting something innovative
like speed, privacy or security

Regards,

Daniel


1.
http://www.fifa.com/about-fifa/news/y=2007/m=5/news=for-the-game-for-the-world-new-fifa-slogan-brings-social-responsibilit-529894.html

Re: Debian slogan / tag line / emphasizing freedom

[Daniel Pocock]

On 07/06/16 12:22, Adam Borowski wrote:
> On Tue, Jun 07, 2016 at 11:20:53AM +0200, Daniel Pocock wrote:
>> Debian has been using the slogan / tag line "The Universal Operating
>> System" for as long as I can remember.
>>
>> It is a good choice and it represents the aims of many contributors, but
>> is it the optimal choice today?
> Make Debian Great Again.

That sounds more political than product oriented.

Some organizations use latin for a motto: how about veni, vidi, contributi?

Debian slogan / tag line / emphasizing freedom

[Daniel Pocock]

Debian has been using the slogan / tag line "The Universal Operating
System" for as long as I can remember.

It is a good choice and it represents the aims of many contributors, but
is it the optimal choice today?

For example, has there ever been discussion about replacing it with a
slogan that puts an emphasis on freedom, another value that is important
to many contributors?

E.g. "Powering your freedom", "Enabling your freedom", "The free
platform", "The universal free OS", etc

It would be interesting to consider this in the lead up to the next
stable release.

shortlisting ready-to-run server derivatives

[Daniel Pocock]

Has anybody made a comparison or evaluation of any of the ready-to-run server 
solutions, such as Turnkey Linux (based on Debian jessie) and ClearOS (based on 
CentOS 7)?



-- 
http://danielpocock.com

Re: third-party packages adding apt sources

[Daniel Pocock]

On 19/05/16 19:04, Ian Jackson wrote:
> Daniel Pocock writes ("third-party packages adding apt sources"):
>> b) many upstreams appear frustrated about getting their package
>> officially supported in Debian.  Sometimes there is good reason their
>> package doesn't belong in Debian but sometimes it is more about inertia
>> in Debian or the upstream isn't aware about backports and thinks their
>> package will be stuck at a particular version forever
> 
> Providing a proper Debian source package is also a lot more work than
> writing some kind of ad-hoc build system that spits out a .deb or
> three.
> 
>> From a technical perspective, can we do more to prevent users being
>> surprised by packages putting new entries in /etc/apt/sources.list.d?
> 
> IMO we should set up a registry of such organisations, and their
> cryptographic keys, and at least document promises made by the
> organisation about its behaviour with respect to various principles
> that we might care about.
> 
> (For example, "this repo only contains packages which are dfsg-free
> and come with source code"; "this repo contains packages which do not
> themselves phone home"; ...)
> 
>> From an organizational perspective, can we do more to make contact with
>> such upstreams and try to find ways to involve them in releasing their
>> packages through official channels?  Is there any way we could gather
>> data about how many upstreams do this without compromising user privacy?
> 
> Debian proper has a very high bar for inclusion.  Obviously there are
> perhaps some packages which are close to suitable for inclusion, but
> the vast majority of things that aren't in Debian proper are outside
> it for real, nontrivial reasons (whether of technical quality of the
> binaries, technical quality of the source, or political/ethical
> reasons).
> 

Do you think that if these upstreams became involved in other ways - for
example, if we proactively invited them to MiniDebConfs and other events
- we might bridge the gap to help them understand our way of thinking,
whether it is technical or otherwise?

Sure, some of them will never change, some of them have no capacity to
think long-term but there are others who simply don't quite understand
and may go the extra mile if they get to know us a little better.

> What we need to do is provide an easier and better way for unofficial
> repositories.  That means an easy way for third party software
> providers to publish repositories which it is then easy for users to
> use, if the user chooses to do so.
> 
> Importantly, we need:
> 
> 1. A way for the user to get good, trustworthy (ie, coming in some
>sense from Debian), information about the repository.  Including
>the identity of the organisation providing it; and some
>classification of Debian's opinion about the software in it.
> 
> 2. A way for the user to reliably get the public keys on their system,
>that doesn't involve them clicking on a .deb on the public
>internet.
> 


Another thing comes to mind: making sure that even if the user
explicitly allows some other repository, they are protected from package
updates that come along and replace other things like apt itself, libc,
bash, gnupg, ...

third-party packages adding apt sources

[Daniel Pocock]

More and more frequently I'm encountering systems where third-party
repositories have been added into /etc/apt/sources.list or
/etc/apt/sources.list.d, usually put there by some .deb package that a
user installed from some third party site.

There are a few things going on here:

a) the .deb format is convenient and respected so when a user sees a
.deb file, they have the impression it is easy to install and
potentially trustworthy

b) many upstreams appear frustrated about getting their package
officially supported in Debian.  Sometimes there is good reason their
package doesn't belong in Debian but sometimes it is more about inertia
in Debian or the upstream isn't aware about backports and thinks their
package will be stuck at a particular version forever

From a technical perspective, can we do more to prevent users being
surprised by packages putting new entries in /etc/apt/sources.list.d?

From an organizational perspective, can we do more to make contact with
such upstreams and try to find ways to involve them in releasing their
packages through official channels?  Is there any way we could gather
data about how many upstreams do this without compromising user privacy?

report from FOSSASIA 2016

[Daniel Pocock]

FOSSASIA[1] took place from 18 - 20 March at the Singapore Science Centre[2]

Chris Lamb, Chow Loong Jin and I were involved in various ways with
exhibition tables and giving talks and workshops.  Various other
developers and contributors were present at various times during the
weekend, it was great to meet so many more members of the Debian family
for the first time.

The DPL authorized production of some banner stands out in Singapore,
they'll come back to Europe, possibly for the Vienna[3] MiniDebConf
(please come, it looks like it will be a lot of fun)

The FOSSASIA team gave us a really good position in the exhibition
space.  We weren't aware of this in advance, but the exhibition
space/tables were distributed throughout public areas of the Science
Centre and this gave us significant exposure to the general public, not
just FOSSASIA visitors.  A photo of the table and banners is on my
blog[4].  If we have an opportunity like this again it would be really
good to prepare some promotional materials to distribute and try to get
more volunteers to the table.

The table also brought me into contact with a number of potential GSoC
applicants.  I tried to spend some time getting to know each of them
personally and showing how they can find people with similar interests
in Debian, e.g. looking through the GSoC project ideas wiki[5], package
maintainer info and bug tracker participants.

Debian's participation at FOSSASIA also involved a close collaboration
with Savoir Faire Linux[6], producers of the Ring[7] softphone. 
Alexandre Lision from SFL presented Ring at FOSSASIA while his
colleagues Guillaume Roguez and Adrien Béraud (who some of us met at
FOSDEM[8]) presented the solution at LibrePlanet[9] by making a call to
the FOSSASIA afterparty at the Singapore Hackerspace.  There was a 12
hour time difference between the two locations.  SFL is based in
Montreal, the host city for DebConf17.

Please also don't forget to send messages of support for the creation of
a debian-events-apac mailing list[10] so it can be used to facilitate
further growth in the region.

Regards,

Daniel

1. http://2016.fossasia.org/
2. http://www.science.edu.sg/
3. https://lists.debian.org/debian-devel-announce/2015/12/msg9.html
4. http://danielpocock.com/fossasia-2016-singapore-1
5. https://wiki.debian.org/SummerOfCode2016
6. https://www.savoirfairelinux.com/
7. https://ring.cx
8. https://fosdem.org/2016/schedule/event/universal_network/
9. https://libreplanet.org/2016/
10. https://lists.debian.org/debian-project/2016/02/msg00034.html

Debian banner designs for use at events?

[Daniel Pocock]

Hi all,

The DPL has authorized production of one or two more banners for use in
Singapore at FOSSASIA this weekend.

Does anybody have any designs that we can give to the printers?

Regards,

Daniel

Re: FOSSASIA Debian speakers and potential mini-DebConf

[Daniel Pocock]

On 04/02/16 16:01, Kartik Mistry wrote:
> On Thu, Feb 4, 2016 at 1:12 AM, Daniel Pocock  wrote:
>> The FOSSASIA conference[1] is coming up again soon, it is in Singapore
>> this year, 18 - 20 March
>>
>> It has also been suggested there could be a mini-DebConf associated with
>> the event in some way.
>>
>> Is anybody interested in participating in any way?  The call for
>> speakers[2] is still open.
>>
>> They also indicated they are unable to fund speaker travel, is anybody
>> aware of opportunities for funding for Debian Developers who are invited
>> to speak at FOSSASIA or an associated mini-DebConf?
>>
>> Singapore is one of the most successful and prominent economic centres
>> in the region and this appears to be a good opportunity for Debian to
>> have some exposure there.
> 
> I visited Singapore last year for FOSSASIA and my feeling was mixed (I
> gave talk on different subject than Debian!). Before that, I met DD
> (and other Debian contributor) and it was fun for sure.
> 
> So, if everything goes OK, I can attend (Conference doesn't provide
> travel+stay to speakers).
> 

Did you decide if you are coming?  I will be there myself, it is this
weekend.



https://wiki.debian.org/FOSSASIA/MiniDebConf2016

Re: Debian Project Leader Elections 2016: Call for nominations

[Daniel Pocock]

On 07/03/16 16:14, Neil McGovern wrote:
> On Sat, Mar 05, 2016 at 11:33:33PM +0100, Debian Project Secretary
> - Kurt Roeckx wrote:
>> The new project leader term starts on Friday the 17th of April, 
>> 2016.  The time line looks like:
>> 
>> | Period | Start| End
>> | 
>> |+--+|
>>
>> 
| Nomination | Sunday, March  6th, 2016 | Saturday, March 12th, 2016 |
>> | Campaign   | Sunday, March 13th, 2016 | Saturday, April 2nd,
>> 2016 | | Vote   | Sunday, April  3rd, 2016 | Saturday, April
>> 16th, 2016 |
>> 
> 
> Just for avoidance of doubt, I do /not/ intend on re-standing for
> my post. I would encourage any candidates to put themselves
> forward.
> 

Neil, thanks for your service to Debian and the wider free software
movement in your role as DPL this last year.

Regards,

Daniel

budget ideas wiki page

[Daniel Pocock]

I've created a wiki page where people can list things that are not yet
at the stage for a formal request to the DPL or link to things that have
already been discussed and not progressed:

https://wiki.debian.org/BudgetIdeas

This could provide a useful resource for pitching ideas to potential
donors, to help people find other people interested in the same idea and
to stimulate new ideas.

Regards,

Daniel

Re: questions about audit and budget processes

[Daniel Pocock]

On 03/03/16 20:47, Jeroen Dekkers wrote:
> At Thu, 3 Mar 2016 19:29:32 +0100,
> Daniel Pocock wrote:
>>
>> On 03/03/16 19:16, martin f krafft wrote:
>>> also sprach Daniel Pocock  [2016-03-03 15:18
>>> +0100]:
>>>> Why wouldn't people also potentially volunteer some time for 
>>>> portfolio management?
>>>
>>> I'd consider this a really bad idea. Portfolio management is
>>> perhaps *the* profession that benefits the most from a professional
>>> (or at least one of them), contract-based separation between client
>>> and actor, with extrinsic motivation of the actor. Even that's 
>>> impossible to properly tie down, but I certainly would never want
>>> to see some people point fingers at others and claiming that they
>>> have lost us money because the markets didn't do as they'd have
>>> hoped.
>>>
>>> Would these volunteers invest in Microsoft? Google? Apple? Nestlé? 
>>> Weapons manufacturers? Companies that exploit resources?
>>>
>>
>> That's not fair, you shouldn't make a list like that without including
>> tobacco companies.
>>
>> Anyhow, I understand the point you are making, I'd be interested to
>> know if many other people feel the same reluctance or have other opinions.
> 
> Instead of managing a portfolio, we can just choose one or a few ETF's
> that track global indices such as the MSCI World Index and the STOXX
> Global 1800. Then you can blame nobody for picking the wrong
> stock. Those still can go down, but the long term gross return is
> higher than the standard interest rates on savings. We indirectly do
> invest in corporations people might consider evil, but the money on a
> savings account can also be lent out to an evil corporation by the
> bank.
> 


Well, that last bit is not quite correct: banks don't just lend out the
money people deposit, they lend it out several times over[1].

E.g. if Debian has $250k in the bank, the bank can lend out $1 million
or more to somebody else and the interest they collect on that $1
million loan is many multiples of the interest they give back to Debian.
 For better or worse, that is the wonder of the fractional reserve system.

Regards,

Daniel

1. https://en.wikipedia.org/wiki/Fractional-reserve_banking#Money_multiplier

Re: questions about audit and budget processes

[Daniel Pocock]

On 03/03/16 19:16, martin f krafft wrote:
> Daniel,
> 
> as I said before, you raise points that are (a) mostly valid and
> (b) not new. I don't want to discuss this without concrete steps
> coming of it, and all you ever do is ask questions.
> 
> Allow me to refute your point about portfolio management though,
> and offer two ideas about alternative uses of the money.
> 
> also sprach Daniel Pocock  [2016-03-03 15:18
> +0100]:
>> Why wouldn't people also potentially volunteer some time for 
>> portfolio management?
> 
> I'd consider this a really bad idea. Portfolio management is
> perhaps *the* profession that benefits the most from a professional
> (or at least one of them), contract-based separation between client
> and actor, with extrinsic motivation of the actor. Even that's 
> impossible to properly tie down, but I certainly would never want
> to see some people point fingers at others and claiming that they
> have lost us money because the markets didn't do as they'd have
> hoped.
> 
> Would these volunteers invest in Microsoft? Google? Apple? Nestlé? 
> Weapons manufacturers? Companies that exploit resources?
> 

That's not fair, you shouldn't make a list like that without including
tobacco companies.

Anyhow, I understand the point you are making, I'd be interested to
know if many other people feel the same reluctance or have other opinions.

>> Personally I'd rather avoid seeing Debian become either a lender 
>> or borrower, unless the transaction was very conservative or 
>> highly strategic.
> 
> FSconservancy would be highly strategic, and while we don't have
> any other uses for the money, they can use it to defend our cause,
> and we'd benefit even if the loan was never repaid.
> 

In that case, donors should have given money directly to Conservancy,
although I personally don't mind if some Debian money went that way.

> An alternative use of our money would be to spend it on sprints, 
> outsourcing of tasks, such as accountancy (and organisation of 
> sprints/events) to third parties, as well as using some of it to 
> design and fund a proper marketing campaign.
> 
> I'll eat a broom (with stick, German idiom) if we didn't manage to 
> replace the substance with a cash flow before it's depleted, 
> assuming it's done properly with enough freedom and the project's 
> backing.
> 

I would agree that spending it productively is a form of investment.

There are valid arguments for spending the whole lot in just one year,
some organizations do this to show their donors that they have
pressing uses for more money.

Regards,

Daniel

Re: questions about audit and budget processes

[Daniel Pocock]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 02/03/16 11:38, martin f krafft wrote:
> Daniel,
> 
> the points you bring up are hardly new. You are also mostly
> talking about keeping books, not auditing.
> 
> The biggest problem with keeping books seems to be that it's a
> merciless and boring job, but one that needs to be done without
> fail (or else it's about as useful as not doing it at all). This is
> why I've argued in the past that we should not rely on volunteers
> to do this, but instead outsource it to a third party, and
> establish procedures to require trusted organisations to send their
> reports there regularly or get their trust revoked.
> 

The idea of outsourcing it seems fine, many people would probably have
a preference for the data to be kept on Debian infrastructure though.

A book-keeper could be hired anywhere in the world, it doesn't have to
be done in a location with high wage costs.

SF Conservancy and SPI currently do some book-keeping for other
organizations don't they?  If they can work on a percentage of
revenue/donations then that doesn't create any long-term obligation
for Debian.


> Or would you be willing to invest all the time required to bring
> our books to status quo, such that it even makes sense for us to
> start keeping them properly?
> 

Ideally, it would be good to have developers/volunteers involved in
one-off efforts and the repetitive stuff outsourced.

For example, setting up a web-application for expense tracking is a
one-off project (hopefully).  Taking some existing solution and
generalizing it to the point where it meets the expectations of all
the trust organizations could be an interesting project for a GSoC
student.

> In my opinion, neither a balance sheet nor a P&L statement make
> any sense and would be far too difficult to create and maintain.
> We wouldn't even know what standard to us. IFRS? US-GAAP? Neither
> of those are particularly applicable to an organisation of our
> nature.
> 

Are you really sure that these statements are not useful?  Can you
give any example of organizations that don't find them useful?

> I think we should stick to a simple ledger and publish a
> simplified, categorised income&expenditures list at regular
> intervals. If done sensibly in hledger, then you get a useful
> balance sheet for free.
> 

Agreed - a ledger is typically the input for both the balance sheet
and the P&L.


>> e) just looking at the SPI balance sheet[4], the amount of money 
>> that appears to be held in trust appears to be far higher than 
>> actual expenditure.
> 
> Yes. See
> https://lists.debian.org/debian-project/2015/03/msg00020.html for
> my explanation. In short, I think we're too cautious to spend 
> "substance" and merely scrape by each year with minimum effort. If
> we had a dependable cash flow, we could easily and would spend more
> money on sprints etc..
> 

It is not just caution, I suspect that it requires people to make some
noise about it and put some process in place to encourage some spending.

E.g. if the DPL says "I want to spend $30,000 this year, give me all
your ideas" and people put them in a spreadsheet and then they get
prioritized.

This should also involve feedback and transparency to donors - "Look
at what we did, look at all the leftover ideas we have for things we
could spend money on if we receive more donations next year"


>> Should the DPL delegate a team to specifically look after long
>> term investment of money that Debian doesn't have any immediate
>> plans for?
> 
> IMHO no.
> 
>> Simply keeping such large amounts of money in a bank deposit at 
>> minimal interest rates appears comparable to using a default 
>> password but making decisions about such money should be
>> something that is separate from the audit team.
> 
> I disagree, especially given the low inflation levels. We also
> have nowhere near enough money to implement a sensibly balanced, 
> conservative asset strategy, nor do we have a liquidity plan or 
> long-term vision as to what to do with those funds.
> 
> Anyway, a reasonable investment strategy for Debian with enough 
> flexibility wouldn't get us more than 2–3% p.a. in interest. Even
> if you went ahead to invest 3/4 of our liquidity in such asset
> classes, we're talking about 7k p.a. in interest, minus the fees
> and time required for management. IMHO, that's not worth the
> effort, nor the discussions.

People are already willing to volunteer their efforts for just about
every other aspect of Debian, such as making software, running events,
list management, repository hosting and it could be argued that none
of that is necessary because we could just use Github, Sourceforge and
Twitter.  Why wouldn't people also potentially volunteer some time for
portfolio management?

> I'd much rather see marketing efforts increase and us building a
> cash flow, then learning how to spend it, and then slowly reducing
> our substance to a more reasonable level, e.g. through
> (interest-fr

Re: questions about audit and budget processes

[Daniel Pocock]

On 02/03/16 10:09, Paul Wise wrote:
> On Wed, Mar 2, 2016 at 4:55 PM, Daniel Pocock wrote:
> 
>> Thanks, I've created links from the audit team's wiki to those pages.
> 
> The auditor team doesn't have anything to do with approving use of
> Debian money, that is the DPL's job.
> 

Should that just be a comment next to the link?

My understanding of an auditor is that they are not just responsible for
counting the money, they usually take some interest in tracking the
procedures an organization uses, even if they aren't a decision maker in
those procedures.

The other links you provided give a process for requesting money and a
process for making payment but they don't really say much about what
goes on in between, the decision making process.  e.g. does the DPL add
everything up into a monthly or quarterly budget, or do things just get
approved on an ad-hoc basis?  Even if it is ad-hoc, stating that
somewhere would make the documentation more complete.

Regards,

Daniel

Re: questions about audit and budget processes

[Daniel Pocock]

On 02/03/16 09:43, Paul Wise wrote:
> I'm not on the auditor team but...
> 
> On Wed, Mar 2, 2016 at 4:30 PM, Daniel Pocock wrote:
> 
>> a) the wiki links to different trust organizations, each of them publish
>> their own accounting records from time to time.  My understanding of the
>> delegation[2] is that the audit team should pull in the data from the
>> different trust organizations and prepare a single consolidated balance
>> sheet and P&L for Debian as a whole.  Does that happen?
> 
> AFAIK the team has had trouble getting that data in a suitable form in
> recent years.
> 

It would be sufficient to prepare a balance sheet with a disclaimer at
the bottom stating whether any figures may be stale or estimates.  It
could then be improved in subsequent years.

>> b) should some of the audit team's responsibilities be specified in the
>> constitution instead of the delegation?  There is already some stuff
>> about trust organizations and assets in there[3], that section would be
>> a good place to include some reference to annual financial statements.
> 
> It would make sense to think about that after the team has managed to
> produce a financial statement for the first time.
> 
>> d) several people have made requests for funding on this list recently,
>> is there a budget process for evaluating, prioritizing and approving the
>> requests?  Should they be submitted against a pseudo-package in the BTS
>> perhaps?
> 
> https://wiki.debian.org/Teams/DPL/AskingForMoney
> https://wiki.debian.org/Teams/DPL/SponsoringGuidelines
> https://wiki.debian.org/Teams/DPL/Reimbursement
> 

Thanks, I've created links from the audit team's wiki to those pages.

questions about audit and budget processes

[Daniel Pocock]

I had a look over the audit team wiki[1] and have some questions about
the audit and budget process

a) the wiki links to different trust organizations, each of them publish
their own accounting records from time to time.  My understanding of the
delegation[2] is that the audit team should pull in the data from the
different trust organizations and prepare a single consolidated balance
sheet and P&L for Debian as a whole.  Does that happen?

b) should some of the audit team's responsibilities be specified in the
constitution instead of the delegation?  There is already some stuff
about trust organizations and assets in there[3], that section would be
a good place to include some reference to annual financial statements.

c) how would the audit team feel about producing a balance sheet and P&L
at least two months before DPL elections each year?  This would make it
easier for all participants (candidates and voters) to evaluate the
financial feasibility of any proposed policies.

d) several people have made requests for funding on this list recently,
is there a budget process for evaluating, prioritizing and approving the
requests?  Should they be submitted against a pseudo-package in the BTS
perhaps?

e) just looking at the SPI balance sheet[4], the amount of money that
appears to be held in trust appears to be far higher than actual
expenditure.  Should the DPL delegate a team to specifically look after
long term investment of money that Debian doesn't have any immediate
plans for?  Simply keeping such large amounts of money in a bank deposit
at minimal interest rates appears comparable to using a default password
but making decisions about such money should be something that is
separate from the audit team.


1. https://wiki.debian.org/Teams/Auditor
2. https://lists.debian.org/debian-devel-announce/2010/10/msg4.html
3. https://www.debian.org/devel/constitution#item-9
4. http://www.spi-inc.org/corporate/annual-reports/2015.pdf

Re: Any Debian support for CubaConf

[Daniel Pocock]

On 28/02/16 13:50, Ben Hutchings wrote:
> On Sat, 2016-02-27 at 09:18 +0100, Daniel Pocock wrote:
>> 
>> On 27/02/16 04:05, Gunnar Wolf wrote:
> [...]
>>> FWIW, I'm *not* implying we should refrain from supporting 
>>> CubaConf. In fact, I was privately contacted by Valessio, as
>>> I'm among the closest DDs to the island;I denied because the
>>> dates are impossible to me.
>>> 
>>> Also worth noting: Back in 2011, I went to PGDay in Cuba,
>>> together with other three people with a PostgreSQL affiliation.
>>> PostgreSQL is a SPI-hosted project as well. SPI was, however,
>>> unable to reimburse our travel due to the US-Cuba embargo.
>>> 
>>> I know the relations between said nations is on its way to 
>>> renormalization, but AFAICT the embargo is still active, so we 
>>> should better check with lawyers if we are to offer
>>> reimbursement to anybody to attend.
>>> 
>> 
>> Debian does not have an exclusive relationship with SPI, the
>> audit committee wiki page[1] lists several Debian trust
>> organizations in European countries.
> 
> The Debian UK Society reimbursed one DD for attending a conference
> in Cuba, in 2006.  (Reported here: 
> https://lists.debian.org/debian-devel-announce/2006/07/msg0.html
> )
> 
>> The lawyer may also need to advise on issues such as: - can US
>> citizens be involved in discussions about such funding? - can
>> infrastructure in the US be used to discuss such funding (e.g. 
>> mailing lists, wiki, or the BTS)
> [...]
> 
> That's pretty damn meta.
> 

If Debian is handling money, even indirectly, it is just as important
as the "non-US" stuff that used to be done for crypto[1]

If any US-based DD runs foul of the law or if any DD is given special
treatment at a US airport then this is something that could come back
to bite[2]

The Wikipedia article simply states[3] it is "illegal for U.S.
citizens to have transactions in Cuba"

It is not just Cuba.  At the time that Iran's sanctions were lifted,
the US quietly brought in regulations that punish Europeans who go to
any conference or holiday in Iran[4].  So if Debian is truly
"universal" and worldwide, we will always have to be conscious of such
things that may impact participants who travel.




1. https://wiki.debian.org/non-US
2. http://latinamericanstudies.org/us-cuba/canadian.htm
3.
https://en.wikipedia.org/wiki/United_States_embargo_against_Cuba#Restrictions_on_tourism_by_U.S._citizens_and_residents
4.
http://www.nytimes.com/2016/02/19/us/politics/us-expands-restrictions-on-visa-waiver-program-for-visitors.html?_r=0

Re: Any Debian support for CubaConf

[Daniel Pocock]

On 27/02/16 04:05, Gunnar Wolf wrote:
> Daniel Pocock dijo [Thu, Feb 25, 2016 at 11:10:15AM +0100]:
>> Maybe it is worthwhile for the DPL to simply assign a sum of
>> money for travel grants every 3 - 6 months and then people could
>> shortlist all the opportunities like this, identify if there are
>> volunteers who want to go and find some way to divide the money
>> up fairly between them?
>> 
>> The MiniDebConfs in Brazil and Singapore have already been
>> mentioned in a thread last week, there is also a MiniDebConf in
>> Vienna soon and all of these appear interesting.
> 
> With the important difference that it's not the same to have
> Debian presence at an external, general conference than holding a 
> Debian-specific miniconf.
> 

That would be one factor in comparing events when there are several
competing demands for funds.  Some non-Debian events also offer
partial or full funding to speakers and so it is not always being
requested from Debian.

> FWIW, I'm *not* implying we should refrain from supporting 
> CubaConf. In fact, I was privately contacted by Valessio, as I'm
> among the closest DDs to the island;I denied because the dates are 
> impossible to me.
> 
> Also worth noting: Back in 2011, I went to PGDay in Cuba, together 
> with other three people with a PostgreSQL affiliation. PostgreSQL
> is a SPI-hosted project as well. SPI was, however, unable to
> reimburse our travel due to the US-Cuba embargo.
> 
> I know the relations between said nations is on its way to 
> renormalization, but AFAICT the embargo is still active, so we
> should better check with lawyers if we are to offer reimbursement
> to anybody to attend.
> 

Debian does not have an exclusive relationship with SPI, the audit
committee wiki page[1] lists several Debian trust organizations in
European countries.

The lawyer may also need to advise on issues such as:
- can US citizens be involved in discussions about such funding?
- can infrastructure in the US be used to discuss such funding (e.g.
mailing lists, wiki, or the BTS)

Whatever the legal advice, Debian would also need to be careful not to
give sponsors in the US the impression that their funds could
accidentally be used in this way.

Maybe somebody could just end up in Cuba by mistake[2] though.


1. https://wiki.debian.org/Teams/Auditor
2. http://www.bbc.com/news/world-us-canada-35259429

Re: Any Debian support for CubaConf

[Daniel Pocock]

On 23/02/16 22:13, Valessio Brito wrote:
> Hello guys,
> 
> How Debian could make a support for realization of CubaConf[1]?
> 
> CubaConf = Conferencia Internacional de Software Libre April 25-27 -
> Cuban Art Factory Havana/Cuba
> 
> Is sponsoring a Debian Developer to attend/talking the event or
> collaborating with some of the expenses. I know we have such limited
> resources. But the values are not very supportive[2].
> 
> Personally, already I requested the production of 50 Debian t-shirts.
> I will sell at cost price (~$8) as an incentive to promotion of Debian 
> Project.
> Or have a InstallFest[3], and each computer with Debian wins a t-shirt free.
> 
> I think the important thing for the success of the event is to have
> Debian developers participating. Anyone DD near Cuba, go to CubaConf.
> Plz!
> 

Maybe it is worthwhile for the DPL to simply assign a sum of money for
travel grants every 3 - 6 months and then people could shortlist all the
opportunities like this, identify if there are volunteers who want to go
and find some way to divide the money up fairly between them?

The MiniDebConfs in Brazil and Singapore have already been mentioned in
a thread last week, there is also a MiniDebConf in Vienna soon and all
of these appear interesting.

Re: financial support for the MiniDebConf at Curitiba, Brazil

[Daniel Pocock]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 16/02/16 13:47, Antonio Terceiro wrote:
> Hi,
> 
> We are organizing a MiniDebconf in Curitiba, Brazil, which will
> take place on March 5th and 6th.
> 
> http://br2016.mini.debconf.org/
> 
> I would like to request finnacial support from Debian funds to
> cover expenses of the organization, such as paying the people who
> will run the venue during the event and clean it up afterwards,
> renting chairs for the space that will be used as an auditorium,
> making a few Debian banners, and food/drinds for coffee breaks. The
> detailed budget is being recorded at the wiki¹ (in Portuguese,
> sorry).
> 
> ¹
> https://wiki.debian.org/DebianEvents/br/2016/MiniDebconfCuritiba/Custo
>
>  The details are not final yet, but the worst case scenario at this
> point is R$ 2500.00, which by yesterday conversion rates is ~ €
> 565.
> 


I'd also like to request that the Debian project consider using funds
to support the MiniDebConf at FOSSASIA in Singapore.

The FOSSASIA team are already pledging some support to the MiniDebConf
including venue, some local volunteers, managing the schedule and
table space.

To get the maximum benefit out of these opportunities, it would be
desirable for Debian to sponsor two or three DDs from outside the
region to travel to either event in Brazil or Singapore and give talks.

As a minimum, I'd suggest Debian offering each potential speaker
approximately $US 500 to cover hotel costs for 3 nights and this may
attract people who will pay their own flights and take a vacation out
there. If Debian could make a contribution to flight costs as well
that would be even better.

Both of these events are just before the GSoC 2016 student application
deadline so they are both great opportunities for Debian to invite
potential students to meet potential mentors and learn about Debian's
values.

Regards,

Daniel
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWwy0PAAoJEGxlgOd711bEVnkP+gJOiZ0/pcF+3LX6+T/HsMsF
nv6gWUdpQ9UqHdR16UqQDEH0ujf/Gv9P2RJ3o/SzwrOkfC/WqozLLlHS6xJCh7OA
jYzt1PMbk+tkTQZfDcDVSWtBPSvMvC3K+tGf0njEn50U67KPug9JS3cvEDHenP+B
cpR99jlbnQSyTQAdyTKlwW+HE6hPg4GRZhHrTpriZEFwS+ngXvMrz8NBmsHDYTM9
6VNHDQdZE3uzrdVIyRamjWDz0Yk/gh5f/3sTUxgKlgqqeo62UUzfr62J9heT/gef
yZdDpnrVs8aeXg5ImL7BRpSdYLPw7jJZOobB6EwnDEcZ6qIDXxlZw7LYTyAUrUA6
SIzZSPsKg8XkqEsY3qZ665jkeLJVzZXVR8tUxTTGnj7HOfFNfZvvImjOMh649LBB
W8UN0aUdR9mZXamuu/hP2bG6kyuM/HXvtSfF/f6g9LqjrMqyg/mvMSwYvxw/A4Kc
zJsV/y7Dw0q7FiYB/iPFodlNaNyrin5i9M2K26yFT2OEN4n2CNhPs1hhfOV7FBDL
6bxBXt8S20v0qUx1eGPjYwvuHy9ZWkqi0CCv5P53ePSm2OpiSUqseKCI0K0ll+M4
dTL1z3AHjjG5aDedChqFg/S8wY+PGyYipqcWPIGdSKnOoxr44LFH4spWvwEH+Mjd
f3+HKirai+4Us9M0RbtO
=6aqU
-END PGP SIGNATURE-

support for new mailing list debian-events-apac?

[Daniel Pocock]

There are various debian-events-* mailing lists, I've requested a new
one for Asia/Pacific region events:

https://bugs.debian.org/814779

As requested by the listmasters[1], could people in favour of this idea
please send an email of support to 814...@bugs.debian.org (or just reply
to this email)

The new list would be a useful place to discuss the upcoming FOSSASIA[2]
and other events in Asia, Australia, NZ and beyond.

Regards,

Daniel


1. https://www.debian.org/MailingLists/HOWTO_start_list
2. http://2016.fossasia.org

Re: does Debian help detect gravitational waves?

[Daniel Pocock]

On 14/02/16 01:56, Yaroslav Halchenko wrote:
> 
> On Sun, 14 Feb 2016, Aurelien Jarno wrote:
>>> https://www.lsc-group.phys.uwm.edu/lscdatagrid/doc/reference-platform.html
> 
>>> The Ganglia graph (top right corner of the page) appears to be generated
>>> on a Debian host using the official packages (it has ganglia-webfrontend
>>> in the URL)
> 
>>> Drill down into the Ganglia reports and we can even see things like
>>> kernel package version
> 
>>> http://silkspectre.cgca.uwm.edu/ganglia/?r=hour&cs=&ce=&m=os_release&s=by+name&c=NEMO&h=&host_regex=&max_graphs=0&tab=m&vn=&sh=1&z=small&hc=4
> 
>>> os_release: 3.16.0-0.bpo.4-amd64
> 
> 
>> Please have a look at the article (BTW released under CC license):
> 
>>   https://journals.aps.org/prl/pdf/10.1103/PhysRevLett.116.061102
> 
>> The article itself has one thousand of authors from 133 different
>> institutes member of the LIGO and VIRGO cooperation. It is a result of
>> a huge amount of work by thousands of persons in the last 15 years to
>> design, build, improve, operate the instrument, but also to work on the
>> theory or simulation.
> 
>> For sure Debian has been used somewhere, just like Slackware, MS-DOS,
>> HP-UX or any other system have helped at some moment. Just looking at
>> one random website from one small subpart of the whole project to
>> conclude about the Debian implication in the whole project just doesn't
>> make sense. It is just like deducing that pelican helps the Debian
>> project because it is used on the Debian blog.
> 
> FWIW that link
> https://www.lsc-group.phys.uwm.edu/lscdatagrid/doc/reference-platform.html
> at least now has already explicit listing
> 
> Reference Operating Systems
> 
> Scientific Linux 6.1
> Debian 6.0 Squeeze
> CentOS 5.3 (to be deprecated)
> Debian 5.0, Lenny (to be deprecated)
> 
> So I guess Debian was of some notable help, and I am really glad that our work
> at least tiny bit contributed to this event.  But that is it.  Somewhat
> twisting while overall agreeing with the point of Aurelien's reply --
> Debian was probably used somewhere along the way of any recent sizeable
> research endeavor simply because it is used in so many scenarios and places.
> 
> Was Debian indispensable? probably not,  was it facilitating? hopefully yes.
> 

I don't think anybody was suggesting it was indispensable.

Nonetheless, Debian appears to have been chosen over other alternatives
and mentioned in a few places

It would be interesting to ask the more general question if free
software is indispensable for such efforts though

does Debian help detect gravitational waves?

[Daniel Pocock]

https://www.lsc-group.phys.uwm.edu/lscdatagrid/doc/reference-platform.html

The Ganglia graph (top right corner of the page) appears to be generated
on a Debian host using the official packages (it has ganglia-webfrontend
in the URL)

Drill down into the Ganglia reports and we can even see things like
kernel package version

http://silkspectre.cgca.uwm.edu/ganglia/?r=hour&cs=&ce=&m=os_release&s=by+name&c=NEMO&h=&host_regex=&max_graphs=0&tab=m&vn=&sh=1&z=small&hc=4

os_release: 3.16.0-0.bpo.4-amd64

FOSSASIA Debian speakers and potential mini-DebConf

[Daniel Pocock]

The FOSSASIA conference[1] is coming up again soon, it is in Singapore
this year, 18 - 20 March

It has also been suggested there could be a mini-DebConf associated with
the event in some way.

Is anybody interested in participating in any way?  The call for
speakers[2] is still open.

They also indicated they are unable to fund speaker travel, is anybody
aware of opportunities for funding for Debian Developers who are invited
to speak at FOSSASIA or an associated mini-DebConf?

Singapore is one of the most successful and prominent economic centres
in the region and this appears to be a good opportunity for Debian to
have some exposure there.

Regards,

Daniel

1. http://2016.fossasia.org/

2. http://2016.fossasia.org/speaker-registration

Re: Short tribute video in honor of Ian Murdock in FOSDEM

[Daniel Pocock]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 16/01/16 16:38, Holger Levsen wrote:
> Hi Laura,
> 
> On Samstag, 16. Januar 2016, Laura Arjona Reina wrote:
>> We, the Debian Publicity team, are trying to prepare a short
>> tribute video in honour of Ian Murdock to be screened at
>> FOSDEM[1]
> 
> awesome!
> 
> where+when exactly do you plan to show it there? FOSDEM is huuuge.
> Did you contact the organizers to maybe show it at the closing or
> opening event?
> 
> 

The FOSDEM organizers have been very kind and proactive in this, I saw
some emails that went around about it already.  If you have access to
Pentabarf, you may see an unconfirmed event with Debian in the title,
it looks like they have reserved a suitable location and it should
show up on the FOSDEM public schedule when they confirm it.  I don't
want to steal their thunder though, so we'll just have to wait for
that to be announced.

Regards,

Daniel
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWmoYxAAoJEGxlgOd711bEvmwP+gK53ueVoexzBQox2bMVD+bx
NqjqD3AkWdyjId4USf9rMe0E/CBgXlqE5ILFEsF+Bq0pq8Lpu1uqgGb9E8p3TWKq
r8yWaEusBtJNENXk9hQ8LpZVXbBVvdgbflB0FrEoxIUnmgA0NNJRtsFIJ/PVsyWD
EHRWBeyPFbmjdAIhPn24tbXv60oElYkrP1zVdfvB5ZS68olaX5tARDNbGGpxhqGR
fOCq33W76htJumAmhx2W6BW0qeAT+cgcd9P70GwA421RsRe7MX9Ei9+rfH4xvQ7K
PWTZkAWeVUeMQqGYkYSyQbRsno7BrT9QCTjNMsBj6XRzuWFr3MBxbBgOThmyJNSk
vaWWtggXakvggF0UtVpt78f2PBas3sMwqVpKqy4GnW4MqNLDC/9QTNiQ+xL6/lf7
lZ4UqLzs1FRxqvdg5OW9L4A+e99T5rRIpsd/903eSwZy/2dlyB6XfjtIuHDUUMAi
DYv8J6pDpdD63hXU7M8WvN6pedvyAik++VHK+ZorKxHrZPbn+doNMi6/T7Y4HhGD
qrXivKPDjfLyyhbDkrEnmaJGRhMYiFPXHCNOgxTInJcK6qCn5IbjXyKHB12h6PoX
4/aAyHaavFVVOi3P9a2GuwJK7JDphdNU4aZCf40Q9AUbiHV1GZBn7r5zmplcEdD5
3za4znpnGw9One/sWuuX
=EOkv
-END PGP SIGNATURE-

Re: Renaming the Debian Project

[Daniel Pocock]

On 11/01/16 17:54, Chris Knadle wrote:
> Daniel Pocock:
>>
>>
>> On 06/01/16 05:19, Chris Knadle wrote:
>>> Daniel Pocock:
>>>>
>>>>
>>>> On 31/12/15 04:22, Steve Langasek wrote:
>>>>> On Wed, Dec 30, 2015 at 02:03:40PM -0800, benjamin barber wrote:
>>>>>> It's unfortunate that Debian is named after Debra and Ian,
>>>>>> because having the project named after a white supremacist, who
>>>>>> used his ex-wifes name as an trophy.
>>>>>
>>>>> I agree in whole with the responses of my fellow developers Dimitri
>>>>> and Russ.  I also believe, because the Internet never forgets, that
>>>>> this libelous accusation needs to be addressed directly.
>>>>>
>>>>> In the time leading up to Ian's death, he posted on his now-deleted
>>>>> twitter account about an altercation with police.  He described
>>>>> being the victim of police brutality, and expressed the desire that
>>>>> his story be widely known - in the hopes that, where stories of
>>>>> police brutality (up to and including murder) of racial minorities
>>>>> in the United States have failed to lead to the systemic reforms
>>>>> that are needed, perhaps a story of a white, affluent, educated,
>>>>> middle-aged man being a victim of the same systems might tip the 
>>>>> scale.
>>>>>
>>>>> In the course of expressing these views on twitter, Ian used a
>>>>> racial epithet.
>>>>>
>>>>
>>>> In fact, it has not been verified that those Tweets were from Ian
>>>> himself.  It can only be said that there were Tweets and they appear
>>>> to originate from Ian's Twitter ID.
>>>>
>>>> Had somebody hacked his account?
>>>
>>> I believe the Tweets that have been posted are really from Ian.  The basis
>>> of my belief is a story at The Register which quotes the facts as stated by
>>> the San Francisco Police Department in the last few paragraphs:
>>>
>>>http://www.theregister.co.uk/2015/12/30/ian_murdock_debian_founder/
>>
>> There is a general consensus not to keep picking through the details on
>> the mailing list.  I only posted those questions about the matter to
>> emphasize the lack of information - none of the material anybody has
>> provided can answer those questions conclusively with hard evidence so
>> there is nowhere for this thread to go.  Please don't feel I am
>> encouraging people to seek out answers, I only posted the questions to
>> highlight the lack of facts in the original troll mail, we just have to
>> sit back and wait and see if they are answered from a credible source.
>>
>> The PR statements are not a credible source, only an official report
>> from an inquiry has any weight.  PR statements are not made under oath
>> like evidence in court or an affidavit.
> 
> No, it's not PR statements.  Police departments have an officer assigned to

The police officer has a twitter page, it looks like her responsibility
is PR:

https://twitter.com/officergrace

When I say PR is "not a credible source", I don't mean that in a
disparaging way, I'm just saying it is not an official report.

> state the facts known when the media calls them... which they do regularly
> to find out about new events that have happened.  I don't see why you'd need
> the police department or the media author to be under oath to accept what
> they state, especially being that in this case what's stated correlates with
> what Ian seems to have said himself.
> 

Haven't you ever seen an interrogation in the movies where they lie to a
suspect and tell him that his brother has just signed a confession?
They do that in real life, it is not just the movies.  I'm not trying to
disparage them for it, just to point out that it is part of how they do
their job.  It can be the same with PR.  Then they go to court and take
an oath like anybody else and tell the truth as best as any human being can.

> Being that there's not likely to be a court case, nobody is going to be
> under oath and so if we went by the "rules" you've laid out above, there
> would never be anything what you call "credible" to discuss, and therefore
> all this message does is to try to hush others politically, and I object to
> that.
>

Court case: no, people who are deceased generally can't go on trial

In some situations there could be an inquest, in a court room, where
people give evidence under oath:
https://en.wikipedia.org/wiki/Inquest
but such a procedure is not prosecuting Ian or the police or anybody
else, it is just to establish the facts.  This can happen after an
industrial accident, for example, to identify better safety procedures
and avoid future loss of life.

It is not about hushing people politically, it is just out of respect
for his family and others who know Ian personally.  A long thread with a
many opinions about the tweets would not be helpful at this time.

Regards,

Daniel

Re: Renaming the Debian Project

[Daniel Pocock]

On 06/01/16 05:19, Chris Knadle wrote:
> Daniel Pocock:
>>
>>
>> On 31/12/15 04:22, Steve Langasek wrote:
>>> On Wed, Dec 30, 2015 at 02:03:40PM -0800, benjamin barber wrote:
>>>> It's unfortunate that Debian is named after Debra and Ian,
>>>> because having the project named after a white supremacist, who
>>>> used his ex-wifes name as an trophy.
>>>
>>> I agree in whole with the responses of my fellow developers Dimitri
>>> and Russ.  I also believe, because the Internet never forgets, that
>>> this libelous accusation needs to be addressed directly.
>>>
>>> In the time leading up to Ian's death, he posted on his now-deleted
>>> twitter account about an altercation with police.  He described
>>> being the victim of police brutality, and expressed the desire that
>>> his story be widely known - in the hopes that, where stories of
>>> police brutality (up to and including murder) of racial minorities
>>> in the United States have failed to lead to the systemic reforms
>>> that are needed, perhaps a story of a white, affluent, educated,
>>> middle-aged man being a victim of the same systems might tip the 
>>> scale.
>>>
>>> In the course of expressing these views on twitter, Ian used a
>>> racial epithet.
>>>
>>
>> In fact, it has not been verified that those Tweets were from Ian
>> himself.  It can only be said that there were Tweets and they appear
>> to originate from Ian's Twitter ID.
>>
>> Had somebody hacked his account?
> 
> I believe the Tweets that have been posted are really from Ian.  The basis
> of my belief is a story at The Register which quotes the facts as stated by
> the San Francisco Police Department in the last few paragraphs:
> 
>http://www.theregister.co.uk/2015/12/30/ian_murdock_debian_founder/

There is a general consensus not to keep picking through the details on
the mailing list.  I only posted those questions about the matter to
emphasize the lack of information - none of the material anybody has
provided can answer those questions conclusively with hard evidence so
there is nowhere for this thread to go.  Please don't feel I am
encouraging people to seek out answers, I only posted the questions to
highlight the lack of facts in the original troll mail, we just have to
sit back and wait and see if they are answered from a credible source.

The PR statements are not a credible source, only an official report
from an inquiry has any weight.  PR statements are not made under oath
like evidence in court or an affidavit.

Fwd: potential awards for Ian Murdock

[Daniel Pocock]

Can anybody else comment on awards that Ian could be nominated for?



 Forwarded Message 
Date:   Sun, 3 Jan 2016 22:29:43 +
From:   Flee ICT 
To: dan...@pocock.pro



Dear sir,

In your web article dated 2/1/2016 on Ian Murdock you wrote:

> Can anybody think of awards that Ian Murdock should be nominated for,
either in free software, computing or engineering in general? Some, like
the prestigious Queen Elizabeth Prize for Engineering can't be awarded
posthumously but others may be within reach.

These came to mind:

ACM Turing Prize
http://amturing.acm.org/

ACM Distinguished Service Award
http://awards.acm.org/distinguished_service/

EFF Pioneer Award
https://en.wikipedia.org/wiki/EFF_Pioneer_Award

IEEE Computer Pioneer Award
http://www.computer.org/web/awards/pioneer

Lovelace Medal
https://en.wikipedia.org/wiki/Lovelace_Medal

Thank you for remembering Mr. Murdock so kindly.

(--> Flee ICT)

Re: Renaming the Debian Project

[Daniel Pocock]

On 31/12/15 04:22, Steve Langasek wrote:
> On Wed, Dec 30, 2015 at 02:03:40PM -0800, benjamin barber wrote:
>> It's unfortunate that Debian is named after Debra and Ian,
>> because having the project named after a white supremacist, who
>> used his ex-wifes name as an trophy.
> 
> I agree in whole with the responses of my fellow developers Dimitri
> and Russ.  I also believe, because the Internet never forgets, that
> this libelous accusation needs to be addressed directly.
> 
> In the time leading up to Ian's death, he posted on his now-deleted
> twitter account about an altercation with police.  He described
> being the victim of police brutality, and expressed the desire that
> his story be widely known - in the hopes that, where stories of
> police brutality (up to and including murder) of racial minorities
> in the United States have failed to lead to the systemic reforms
> that are needed, perhaps a story of a white, affluent, educated,
> middle-aged man being a victim of the same systems might tip the 
> scale.
> 
> In the course of expressing these views on twitter, Ian used a
> racial epithet.
> 

In fact, it has not been verified that those Tweets were from Ian
himself.  It can only be said that there were Tweets and they appear
to originate from Ian's Twitter ID.

Had somebody hacked his account?

Had somebody stolen his mobile phone and hacked the screen unlock?
Has the phone been found yet?

Has somebody found an arbitrary way to send Tweets with forged identities?

Did Ian rename or close his Twitter account at some point and then
somebody else created a new Twitter account using the same name?

Re: Renaming the Debian Project

[Daniel Pocock]

On 30/12/15 23:03, benjamin barber wrote:
> It's unfortunate that Debian is named after Debra and Ian, because
> having the project named after a white supremacist, who used his
> ex-wifes name as an trophy. Being that the current year is almost 2016
> and is 20 years after Debian started, we should look to the future and
> not the past. We shouldn't tolerate the project being named after a
> person who uses the N word, or marginalizes women who've been sexually
> assaulted. Instead I think we ought to rename the project "Euphemia",
> which means "good speech" and represents our code of conduct, as well as
> being the name of Euphemia Lofton Haynes the first African American
> woman who earned a math PHD.


a) leave out debian-devel, maybe continue on debian-project alone?

b) is Debra's opinion documented anywhere?

c) do you have verifiable references for the other allegations you are
making about the project founder?  It is very inappropriate to post
things like that without citing some solid evidence, doing so only
undermines your own credibility.

Re: mailing list for debian-rtc activities

[Daniel Pocock]

The debian-rtc list is now created:

https://lists.debian.org/debian-rtc/

Please come and join if you have questions about rtc.debian.org or
anything about RTC on a Debian system.

Please also look out for the FOSDEM main track announcements...

Regards,

Daniel